motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-05 16:53:55 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

qmp: Fix design bug and read beyond buffer in memchar-write

Browse source 
Command memchar-write takes data and size parameter.  Begs the
question what happens when data doesn't match size.

With format base64, qmp_memchar_write() copies the full data argument,
regardless of size argument.

With format utf8, qmp_memchar_write() copies size bytes from data,
happily reading beyond data.  Copies crap from the heap or even
crashes.

Drop the size parameter, and always copy the full data argument.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Markus Armbruster 2013-02-06 21:27:14 +01:00 committed by Anthony Liguori
parent 15af6321f4
commit 82e59a676c
4 changed files with 6 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hmp.c
View file

@ -664,13 +664,11 @@ void hmp_pmemsave(Monitor *mon, const QDict *qdict)
void hmp_memchar_write(Monitor *mon, const QDict *qdict)
{
uint32_t size;
const char *chardev = qdict_get_str(qdict, "device");
const char *data = qdict_get_str(qdict, "data");
Error *errp = NULL;
size = strlen(data);
qmp_memchar_write(chardev, size, data, false, 0, &errp);
qmp_memchar_write(chardev, data, false, 0, &errp);
hmp_handle_error(mon, &errp);
}