Luiz Capitulino <lcapitul...@redhat.com> writes:
> On Thu, 17 Dec 2015 18:10:59 +0530 (IST)
> P J P <ppan...@redhat.com> wrote:
>
>> Hello,
>>
>> An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while
>> processing the 'sendkey' command, if the command argument was longer than
>> the 'keyname_buf[16]' buffer.
>
> Markus, are you planning a pull request soon?
I have nothing queued for the monitor, but I can take this fix or the
proposed alternative through my tree anyway.
> Reviewed-by: Luiz Capitulino <lcapitul...@redhat.com>
>>
>> ===
>> From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
>> From: Prasad J Pandit <p...@fedoraproject.org>
>> Date: Thu, 17 Dec 2015 17:47:15 +0530
>> Subject: [PATCH] hmp: avoid redundant null termination of buffer
>>
>> When processing 'sendkey' command, hmp_sendkey routine null
>> terminates the 'keyname_buf' array. This results in an OOB write
>> issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
>> Removed the redundant null termination, as pstrcpy routine already
>> null terminates the target buffer.
>>
>> Reported-by: Ling Liu <liuling...@360.cn>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>> hmp.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/hmp.c b/hmp.c
>> index 2140605..e530c9c 100644
>> --- a/hmp.c
>> +++ b/hmp.c
>> @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
>> /* Be compatible with old interface, convert user inputted "<" */
>> if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
>> pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
>> - keyname_len = 4;
>> }
>> - keyname_buf[keyname_len] = 0;
>>
>> keylist = g_malloc0(sizeof(*keylist));
>> keylist->value = g_malloc0(sizeof(*keylist->value));
Minimally invasive fix, works for me.
Reviewed-by: Markus Armbruster <arm...@redhat.com>
