Hello Prasad, Can you give this a cve id?
Thank you. -----Original Message----- From: P J P [mailto:ppan...@redhat.com] Sent: Thursday, December 17, 2015 8:41 PM To: qemu-devel@nongnu.org Cc: 刘令 Subject: [PATCH] hmp: avoid redundant null termination of buffer Hello, An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while processing the 'sendkey' command, if the command argument was longer than the 'keyname_buf[16]' buffer. === From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <p...@fedoraproject.org> Date: Thu, 17 Dec 2015 17:47:15 +0530 Subject: [PATCH] hmp: avoid redundant null termination of buffer When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Removed the redundant null termination, as pstrcpy routine already null terminates the target buffer. Reported-by: Ling Liu <liuling...@360.cn> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hmp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/hmp.c b/hmp.c index 2140605..e530c9c 100644 --- a/hmp.c +++ b/hmp.c @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) /* Be compatible with old interface, convert user inputted "<" */ if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); - keyname_len = 4; } - keyname_buf[keyname_len] = 0; keylist = g_malloc0(sizeof(*keylist)); keylist->value = g_malloc0(sizeof(*keylist->value)); -- 2.4.3 === Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
