Eric found that passing a zero length array to nbd_connect_command or
nbd_connect_systemd_socket_activation results in a segfault. This can
be triggered through Python as follows:
$ nbdsh -c 'h.connect_command([])'
nbdsh: generator/states-connect.c:247: enter_STATE_CONNECT_COMMAND_START:
Assertion `h->argv.ptr[0]' failed.
Aborted (core dumped)
Reported-by: Eric Blake
---
lib/connect.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/connect.c b/lib/connect.c
index 5008063034..629f35db7c 100644
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -251,6 +251,11 @@ nbd_unlocked_aio_connect_socket (struct nbd_handle *h, int
sock)
int
nbd_unlocked_aio_connect_command (struct nbd_handle *h, char **argv)
{
+ if (argv[0] == NULL) {
+ set_error (EINVAL, "argv parameter must have at least 1 element");
+ return -1;
+ }
+
if (nbd_internal_set_argv (&h->argv, argv) == -1) {
set_error (errno, "realloc");
return -1;
@@ -263,6 +268,11 @@ int
nbd_unlocked_aio_connect_systemd_socket_activation (struct nbd_handle *h,
char **argv)
{
+ if (argv[0] == NULL) {
+ set_error (EINVAL, "argv parameter must have at least 1 element");
+ return -1;
+ }
+
if (nbd_internal_set_argv (&h->argv, argv) == -1) {
set_error (errno, "realloc");
return -1;
--
2.37.0.rc2
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs
