On 10/23/24 12:50, Alex Bennée wrote:
Pierrick Bouvier <pierrick.bouv...@linaro.org> writes:

Simply increase destination buffer size so truncation can't happen.

"cc" "-m64" "-Ilibcommon.a.p" "-Isubprojects/dtc/libfdt"
"-I../subprojects/dtc/libfdt"
"-ID:/a/_temp/msys64/mingw64/include/pixman-1"
"-ID:/a/_temp/msys64/mingw64/include/glib-2.0"
"-ID:/a/_temp/msys64/mingw64/lib/glib-2.0/include"
"-ID:/a/_temp/msys64/mingw64/include/ncursesw"
"-fdiagnostics-color=auto" "-Wall" "-Winvalid-pch" "-Werror"
"-std=gnu11" "-O2" "-g" "-fstack-protector-strong" "-Wempty-body"
"-Wendif-labels" "-Wexpansion-to-defined" "-Wformat-security"
"-Wformat-y2k" "-Wignored-qualifiers" "-Wimplicit-fallthrough=2"
"-Winit-self" "-Wmissing-format-attribute" "-Wmissing-prototypes"
"-Wnested-externs" "-Wold-style-declaration" "-Wold-style-definition"
"-Wredundant-decls" "-Wshadow=local" "-Wstrict-prototypes"
"-Wtype-limits" "-Wundef" "-Wvla" "-Wwrite-strings"
"-Wno-missing-include-dirs" "-Wno-psabi" "-Wno-shift-negative-value"
"-iquote" "." "-iquote" "D:/a/qemu/qemu" "-iquote"
"D:/a/qemu/qemu/include" "-iquote"
"D:/a/qemu/qemu/host/include/x86_64" "-iquote"
"D:/a/qemu/qemu/host/include/generic" "-iq
../net/tap-win32.c: In function 'tap_win32_open':
../net/tap-win32.c:343:19: error: '%s' directive output may be truncated 
writing up to 255 bytes into a region of size 176 [-Werror=format-truncation=]
   343 |              "%s\\%s\\Connection",
       |                   ^~
   344 |              NETWORK_CONNECTIONS_KEY, enum_name);
       |                                       ~~~~~~~~~
In function 'get_device_guid',
     inlined from 'tap_win32_open' at ../net/tap-win32.c:616:10:
../net/tap-win32.c:341:9: note: 'snprintf' output between 92 and 347
bytes into a destination of size 256

Is the compiler min/max maxing what UCS-16 or UTF-8 might pack into that string?


Yes, enum_name (used to compose final string) is already sized 256, so result *may* be bigger. I'm not sure it would happen in the real world though.

The result strings are used to access registry keys, which have a max size of 255. And device_path is used to open a file, which is limited in size too.
https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits

Signed-off-by: Pierrick Bouvier <pierrick.bouv...@linaro.org>
---
  net/tap-win32.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/tap-win32.c b/net/tap-win32.c
index 7edbd716337..4a4625af2b2 100644
--- a/net/tap-win32.c
+++ b/net/tap-win32.c
@@ -214,7 +214,7 @@ static int is_tap_win32_dev(const char *guid)
for (;;) {
          char enum_name[256];
-        char unit_string[256];
+        char unit_string[512];

If this isn't perf sensitive code lets just get rid of this stack
allocation and be done with some autofree'd g_strdup_printfs?


Yes, will do that.
All this is used only when opening the device, so it's not on any hot path.

Thanks,
Pierrick

Reply via email to