| Message ID | 1488491046-2549-7-git-send-email-armbru@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 03/02/2017 03:43 PM, Markus Armbruster wrote: > sd_parse_uri() truncates long VDI names silently. Reject them > instead. > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > block/sheepdog.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/block/sheepdog.c b/block/sheepdog.c > index deb110e..72a52a6 100644 > --- a/block/sheepdog.c > +++ b/block/sheepdog.c > @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, > ret = -EINVAL; > goto out; > } > - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); > + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { > + goto out; > + } Does this need to set ret? Maybe to -EINVAL? > > qp = query_params_parse(uri->query); > if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) { >
On 03/02/2017 06:43 PM, Markus Armbruster wrote: > sd_parse_uri() truncates long VDI names silently. Reject them > instead. > > Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > --- > block/sheepdog.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/block/sheepdog.c b/block/sheepdog.c > index deb110e..72a52a6 100644 > --- a/block/sheepdog.c > +++ b/block/sheepdog.c > @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, > ret = -EINVAL; > goto out; > } > - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); > + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { > + goto out; > + } > > qp = query_params_parse(uri->query); > if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) { >
On 03/02/2017 08:32 PM, Eric Blake wrote: > On 03/02/2017 03:43 PM, Markus Armbruster wrote: >> sd_parse_uri() truncates long VDI names silently. Reject them >> instead. >> >> Signed-off-by: Markus Armbruster <armbru@redhat.com> >> --- >> block/sheepdog.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/block/sheepdog.c b/block/sheepdog.c >> index deb110e..72a52a6 100644 >> --- a/block/sheepdog.c >> +++ b/block/sheepdog.c >> @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, >> ret = -EINVAL; >> goto out; >> } >> - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); >> + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { >> + goto out; >> + } > > Does this need to set ret? Maybe to -EINVAL? > ups I missed that. what about -ENAMETOOLONG? bdrv callers seem to only test for 'ret < 0'. >> >> qp = query_params_parse(uri->query); >> if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) { >> >
Eric Blake <eblake@redhat.com> writes: > On 03/02/2017 03:43 PM, Markus Armbruster wrote: >> sd_parse_uri() truncates long VDI names silently. Reject them >> instead. >> >> Signed-off-by: Markus Armbruster <armbru@redhat.com> >> --- >> block/sheepdog.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/block/sheepdog.c b/block/sheepdog.c >> index deb110e..72a52a6 100644 >> --- a/block/sheepdog.c >> +++ b/block/sheepdog.c >> @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, >> ret = -EINVAL; >> goto out; >> } >> - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); >> + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { >> + goto out; >> + } > > Does this need to set ret? Maybe to -EINVAL? Yes. The next patch heals it, but of course I'll fix it anyway. >> >> qp = query_params_parse(uri->query); >> if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) { >>
Philippe Mathieu-Daudé <f4bug@amsat.org> writes: > On 03/02/2017 08:32 PM, Eric Blake wrote: >> On 03/02/2017 03:43 PM, Markus Armbruster wrote: >>> sd_parse_uri() truncates long VDI names silently. Reject them >>> instead. >>> >>> Signed-off-by: Markus Armbruster <armbru@redhat.com> >>> --- >>> block/sheepdog.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/block/sheepdog.c b/block/sheepdog.c >>> index deb110e..72a52a6 100644 >>> --- a/block/sheepdog.c >>> +++ b/block/sheepdog.c >>> @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, >>> ret = -EINVAL; >>> goto out; >>> } >>> - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); >>> + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { >>> + goto out; >>> + } >> >> Does this need to set ret? Maybe to -EINVAL? >> > > ups I missed that. what about -ENAMETOOLONG? > bdrv callers seem to only test for 'ret < 0'. The next patch gets rid of the error code in this function. >>> >>> qp = query_params_parse(uri->query); >>> if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) { >>> >>
diff --git a/block/sheepdog.c b/block/sheepdog.c index deb110e..72a52a6 100644 --- a/block/sheepdog.c +++ b/block/sheepdog.c @@ -985,7 +985,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename, ret = -EINVAL; goto out; } - pstrcpy(vdi, SD_MAX_VDI_LEN, uri->path + 1); + if (g_strlcpy(vdi, uri->path + 1, SD_MAX_VDI_LEN) >= SD_MAX_VDI_LEN) { + goto out; + } qp = query_params_parse(uri->query); if (qp->n > 1 || (s->is_unix && !qp->n) || (!s->is_unix && qp->n)) {
sd_parse_uri() truncates long VDI names silently. Reject them instead. Signed-off-by: Markus Armbruster <armbru@redhat.com> --- block/sheepdog.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)