On 13 April 2012 20:59, Crístian Viana <via...@linux.vnet.ibm.com> wrote: >> If so, then you have a bug in >> nseries.c: sprintf() is asking for a buffer overflow. Remember, >> QEMU_VERSION has a compile-time fixed length, but if qemu_get_version() >> is an arbitrary user string, you no longer have a guarantee that you fit >> in version[12]. > > Well, I also noticed that in some places, the version buffer is 12 char > long, in other places it is 32 char long... we could set a maximum > length and make sure the string won't cause a buffer overflow (with > snprintf or some other variant).
Typically the buffer is a fixed length because we're conforming to some protocol (USB, Linux atags, usb-redirection-transport, SCSI, etc) which mandates a fixed length for whatever field we've been putting the version number in. The length involved will obviously vary depending on the use. So you have to stick to the required length for each use and just make sure we truncate rather than overflowing in the unlikely event of an overlong return from qemu_get_version(). -- PMM
