On 13-04-2012 16:26, Eric Blake wrote: > qemu_get_version returns whatever string got put there by > qemu_set_version. Am I correct that the user has full control over the > string passed to qemu_set_version?
Actually, this is not available to the user, the string passed to that function is supposed to be hard coded into hw/pc_piix.c. > If so, then you have a bug in > nseries.c: sprintf() is asking for a buffer overflow. Remember, > QEMU_VERSION has a compile-time fixed length, but if qemu_get_version() > is an arbitrary user string, you no longer have a guarantee that you fit > in version[12]. Well, I also noticed that in some places, the version buffer is 12 char long, in other places it is 32 char long... we could set a maximum length and make sure the string won't cause a buffer overflow (with snprintf or some other variant). > Besides, since you are only pasting in a single string, > you could do this more efficiently through a strcat() variant instead of > switching to snprintf() (I'm not sure off-hand which qemu_* function is > best for your purpose, but there's probably something out there). I'll try that. Thanks! -- Best regards, Crístian.
