From patchwork Wed Feb 17 11:02:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Campbell X-Patchwork-Id: 8336711 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 95192C02AA for ; Wed, 17 Feb 2016 11:04:50 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C2AA220375 for ; Wed, 17 Feb 2016 11:04:49 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9BFCA2035E for ; Wed, 17 Feb 2016 11:04:48 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aVzsN-0007Th-Of; Wed, 17 Feb 2016 11:02:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aVzsH-0007T7-J9 for xen-devel@lists.xen.org; Wed, 17 Feb 2016 11:02:30 +0000 Received: from [85.158.137.68] by server-16.bemta-3.messagelabs.com id 84/FF-07451-04354C65; Wed, 17 Feb 2016 11:02:24 +0000 X-Env-Sender: prvs=848fde4e6=Ian.Campbell@citrix.com X-Msg-Ref: server-15.tower-31.messagelabs.com!1455706942!22725712!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 42859 invoked from network); 17 Feb 2016 11:02:23 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-15.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 17 Feb 2016 11:02:23 -0000 X-IronPort-AV: E=Sophos;i="5.22,459,1449532800"; d="scan'208";a="338799861" From: Ian Campbell To: , , Date: Wed, 17 Feb 2016 11:02:20 +0000 Message-ID: <1455706940-27999-1-git-send-email-ian.campbell@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 X-DLP: MIA2 Cc: Ian Campbell Subject: [Xen-devel] [PATCH] libxl: qmp: ensure qmp read buffer is NULL terminated X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Coverity rightly points out that qmp->buffer may not be NULL terminated when passed to strncat. Make the actual buffer a byte bigger than QMP_RECEIVE_BUFFER_SIZE and always append a NULL byte. I suspect that in practice we have not yet seen QMP messages approaching the buffer size (4K). Compile tested only. CID: 1055989 Signed-off-by: Ian Campbell Acked-by: Ian Jackson --- tools/libxl/libxl_qmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c index 714038b..c45702e 100644 --- a/tools/libxl/libxl_qmp.c +++ b/tools/libxl/libxl_qmp.c @@ -67,7 +67,7 @@ struct libxl__qmp_handler { /* wait_for_id will be used by the synchronous send function */ int wait_for_id; - char buffer[QMP_RECEIVE_BUFFER_SIZE]; + char buffer[QMP_RECEIVE_BUFFER_SIZE + 1]; libxl__yajl_ctx *yajl_ctx; libxl_ctx *ctx; @@ -457,6 +457,7 @@ static int qmp_next(libxl__gc *gc, libxl__qmp_handler *qmp) LOGE(ERROR, "Socket read error"); return rd; } + qmp->buffer[rd] = '\0'; DEBUG_REPORT_RECEIVED(qmp->buffer, rd);