Luiz Capitulino <lcapitul...@redhat.com> writes:

> On Thu, 17 Dec 2015 18:10:59 +0530 (IST)
> P J P <ppan...@redhat.com> wrote:
>
>>    Hello,
>> 
>> An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while 
>> processing the 'sendkey' command, if the command argument was longer than
>> the 'keyname_buf[16]' buffer.
>
> Markus, are you planning a pull request soon?

I have nothing queued for the monitor, but I can take this fix or the
proposed alternative through my tree anyway.

> Reviewed-by: Luiz Capitulino <lcapitul...@redhat.com>

>> 
>> ===
>> From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
>> From: Prasad J Pandit <p...@fedoraproject.org>
>> Date: Thu, 17 Dec 2015 17:47:15 +0530
>> Subject: [PATCH] hmp: avoid redundant null termination of buffer
>> 
>> When processing 'sendkey' command, hmp_sendkey routine null
>> terminates the 'keyname_buf' array. This results in an OOB write
>> issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
>> Removed the redundant null termination, as pstrcpy routine already
>> null terminates the target buffer.
>> 
>> Reported-by: Ling Liu <liuling...@360.cn>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>>   hmp.c | 2 --
>>   1 file changed, 2 deletions(-)
>> 
>> diff --git a/hmp.c b/hmp.c
>> index 2140605..e530c9c 100644
>> --- a/hmp.c
>> +++ b/hmp.c
>> @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
>>           /* Be compatible with old interface, convert user inputted "<" */
>>           if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
>>               pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
>> -            keyname_len = 4;
>>           }
>> -         keyname_buf[keyname_len] = 0;
>> 
>>           keylist = g_malloc0(sizeof(*keylist));
>>           keylist->value = g_malloc0(sizeof(*keylist->value));

Minimally invasive fix, works for me.

Reviewed-by: Markus Armbruster <arm...@redhat.com>

Reply via email to