On Mon, Jun 10, 2013 at 5:21 PM, Stefan Hajnoczi <stefa...@gmail.com> wrote:
> On Sun, Jun 09, 2013 at 10:34:54AM +0800, Fam Zheng wrote:
>> @@ -110,14 +111,14 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd,
>> int action,
>> return 0;
>> }
>>
>> -static size_t curl_size_cb(void *ptr, size_t size, size_t nmemb, void
>> *opaque)
>> +static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void
>> *opaque)
>> {
>> - CURLState *s = ((CURLState*)opaque);
>> + BDRVCURLState *s = opaque;
>> size_t realsize = size * nmemb;
>> - size_t fsize;
>> + const char *accept_line = "Accept-Ranges: bytes";
>>
>> - if(sscanf(ptr, "Content-Length: %zd", &fsize) == 1) {
>> - s->s->len = fsize;
>> + if (strncmp((char *)ptr, accept_line, strlen(accept_line)) == 0) {
>> + s->accept_range = true;
>> }
>
> This still assumes ptr is NUL-terminated. You need to pass size * nmemb
> instead of strlen(accept_line).
>
OK, the case is so corner, only when :
- realsize < strlen(accept_line) and
- ptr is the first part of accept_line, without NUL-termination
strncpm will possibly access no more than (strlen(accept_line) -
realsize) bytes after ptr buffer.
I'll need to check if realsize >= strlen(accept_line), not passing realsize.
