On 2015/3/16 15:58, Aneesh Kumar K.V wrote:
> Shannon Zhao <zhaoshengl...@huawei.com> writes:
>
>> It's detected by coverity. As max of sockaddr_un.sun_path is
>> sizeof(helper.sun_path), should check the length of source
>> and use strncpy instead of strcpy.
>>
>> Signed-off-by: Shannon Zhao <zhaoshengl...@huawei.com>
>> Signed-off-by: Shannon Zhao <shannon.z...@linaro.org>
>> ---
>> hw/9pfs/virtio-9p-proxy.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
>> index 59c7445..fb1ab7b 100644
>> --- a/hw/9pfs/virtio-9p-proxy.c
>> +++ b/hw/9pfs/virtio-9p-proxy.c
>> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>> int sockfd, size;
>> struct sockaddr_un helper;
>>
>> + g_assert(strlen(path) < sizeof(helper.sun_path));
>
> Since we are doing this from within Qemu, I did the below and folded
> that into other sockadd_un.sun_path size checking patch.
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 6bb191ee6ab8..71b6198bbd22 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
> int sockfd, size;
> struct sockaddr_un helper;
>
> + if (strlen(path) >= sizeof(helper.sun_path)) {
> + fprintf(stderr, "Socket name too large\n");
> + return -1;
> + }
> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
> if (sockfd < 0) {
> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>
>
> Let me know if that is ok for you.
>
That's OK. :-)
--
Thanks,
Shannon
>> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>> if (sockfd < 0) {
>> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>> return -1;
>> }
>> - strcpy(helper.sun_path, path);
>> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>> helper.sun_family = AF_UNIX;
>> size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>> if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
>> --
>> 1.8.3.1
>
>
> .
>
