On 09/18/2014 06:42 AM, zhanghailiang wrote:
> On 2014/9/18 20:17, Eric Blake wrote:
>> On 09/17/2014 09:33 PM, zhanghailiang wrote:
>>> If readdir_r fails, error_setg_errno will reference the freed
>>> pointer *dirpath*.
>>>
>>> Signed-off-by: zhanghailiang <zhang.zhanghaili...@huawei.com>
>>> ---
>>> qga/commands-posix.c | 10 ++++++----
>>> 1 file changed, 6 insertions(+), 4 deletions(-)
>>
>>> for (;;) {
>>> if (readdir_r(dir, &entry, &result) != 0) {
>>
>> Eww. We're using readdir_r? That's an inherently broken interface,
>> which can risk buffer overflow. readdir should be preferred.
>>
>> http://austingroupbugs.net/view.php?id=696
>>
>
> Yes, it is! Should i fix it in this patch together?;)Switching to readdir would be welcome, and would probably be enough of a rewrite that it would also fix the use-after-free without trying to break it into two patches. You're welcome to try that as a v2. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
