qmp: Fix design bug and read beyond buffer in memchar-write

Command memchar-write takes data and size parameter. Begs the question what happens when data doesn't match size. With format base64, qmp_memchar_write() copies the full data argument, regardless of size argument. With format utf8, qmp_memchar_write() copies size bytes from data, happily reading beyond data. Copies crap from the heap or even crashes. Drop the size parameter, and always copy the full data argument. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2025-08-03 15:53:54 -06:00 · 2013-02-06 21:27:14 +01:00 · 2013-02-06 21:27:14 +01:00 · 82e59a676c
commit 82e59a676c
parent 15af6321f4
4 changed files with 6 additions and 14 deletions
--- a/qemu-char.c
+++ b/qemu-char.c
@ -2753,9 +2753,8 @@ static bool qemu_is_chr(const CharDriverState *chr, const char *filename)
    return strcmp(chr->filename, filename);
 }

-void qmp_memchar_write(const char *device, int64_t size,
-                       const char *data, bool has_format,
-                       enum DataFormat format,
+void qmp_memchar_write(const char *device, const char *data,
+                       bool has_format, enum DataFormat format,
                       Error **errp)
 {
    CharDriverState *chr;
@ -2774,12 +2773,11 @@ void qmp_memchar_write(const char *device, int64_t size,
        return;
    }

-    write_count = (gsize)size;
-
    if (has_format && (format == DATA_FORMAT_BASE64)) {
        write_data = g_base64_decode(data, &write_count);
    } else {
        write_data = (uint8_t *)data;
+        write_count = strlen(data);
    }

    ret = cirmem_chr_write(chr, write_data, write_count);