Request to queue this patch for the next pull.
On Mon, Sep 21, 2020 at 15:03 Ani Sinha <a...@anisinha.ca> wrote:
> Object property insertion code iterates over an integer to get an unused
> index that can be used as an unique name for an object property. This loop
> increments the integer value indefinitely. Although very unlikely, this can
> still cause an integer overflow.
> In this change, we fix the above code by checking against INT16_MAX and
> making
> sure that the interger index does not overflow beyond that value. If no
> available index is found, the code would cause an assertion failure. This
> assertion failure is necessary because the callers of the function do not
> check
> the return value for NULL.
>
> Signed-off-by: Ani Sinha <a...@anisinha.ca>
> Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
> ---
> qom/object.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> changelog:
> v1: initial version
> v2: change INT_MAX to INT16_MAX in code
> v3: make the same change in commit log. Sorry for missing it.
>
> diff --git a/qom/object.c b/qom/object.c
> index 387efb25eb..9962874598 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -1166,11 +1166,11 @@ object_property_try_add(Object *obj, const char
> *name, const char *type,
>
> if (name_len >= 3 && !memcmp(name + name_len - 3, "[*]", 4)) {
> int i;
> - ObjectProperty *ret;
> + ObjectProperty *ret = NULL;
> char *name_no_array = g_strdup(name);
>
> name_no_array[name_len - 3] = '\0';
> - for (i = 0; ; ++i) {
> + for (i = 0; i < INT16_MAX; ++i) {
> char *full_name = g_strdup_printf("%s[%d]", name_no_array, i);
>
> ret = object_property_try_add(obj, full_name, type, get, set,
> @@ -1181,6 +1181,7 @@ object_property_try_add(Object *obj, const char
> *name, const char *type,
> }
> }
> g_free(name_no_array);
> + assert(ret);
> return ret;
> }
>
> --
> 2.17.1
>
>
