motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-04 08:13:54 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

opts: don't silently truncate long parameter keys

Browse source 
The existing QemuOpts parsing code uses a fixed size 128 byte buffer
for storing the parameter keys. If a key exceeded this size it was
silently truncate and no error reported to the user. This behaviour was
reasonable & harmless because traditionally the key names are all
statically declared, and it was known that no code was declaring a key
longer than 127 bytes. This assumption, however, ceased to be valid once
the block layer added support for dot-separate compound keys. This
syntax allows for keys that can be arbitrarily long, limited only by the
number of block drivers you can stack up. With this usage, silently
truncating the key name can never lead to correct behaviour.

Hopefully such truncation would turn into an error, when the block code
then tried to extract options later, but there's no guarantee that will
happen. It is conceivable that an option specified by the user may be
truncated and then ignored. This could have serious consequences,
possibly even leading to security problems if the ignored option set a
security relevant parameter.

If the operating system didn't limit the user's argv when spawning QEMU,
the code should honour whatever length arguments were given without
imposing its own length restrictions. This patch thus changes the code
to use a heap allocated buffer for storing the keys during parsing,
lifting the arbitrary length restriction.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20180416111743.8473-3-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-04-16 12:17:42 +01:00 committed by Paolo Bonzini
parent 20efc49ed6
commit e652714f98
2 changed files with 22 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

18
tests/test-qemu-opts.c
View file

@ -459,8 +459,6 @@ static void test_opts_parse(void)
{
Error *err = NULL;
QemuOpts *opts;
char long_key[129];
char *params;
/* Nothing */
opts = qemu_opts_parse(&opts_list_03, "", false, &error_abort);
@ -471,22 +469,6 @@ static void test_opts_parse(void)
g_assert_cmpuint(opts_count(opts), ==, 1);
g_assert_cmpstr(qemu_opt_get(opts, ""), ==, "val");
/* Long key */
memset(long_key, 'a', 127);
long_key[127] = 'z';
long_key[128] = 0;
params = g_strdup_printf("%s=v", long_key);
opts = qemu_opts_parse(&opts_list_03, params + 1, NULL, &error_abort);
g_assert_cmpuint(opts_count(opts), ==, 1);
g_assert_cmpstr(qemu_opt_get(opts, long_key + 1), ==, "v");
/* Overlong key gets truncated */
opts = qemu_opts_parse(&opts_list_03, params, NULL, &error_abort);
g_assert(opts_count(opts) == 1);
long_key[127] = 0;
g_assert_cmpstr(qemu_opt_get(opts, long_key), ==, "v");
g_free(params);
/* Multiple keys, last one wins */
opts = qemu_opts_parse(&opts_list_03, "a=1,b=2,,x,a=3",
false, &error_abort);