On 23/03/2017 12:23, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <arm...@redhat.com> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c > index 7c120c4..40164bf 100644 > --- a/util/qemu-sockets.c > +++ b/util/qemu-sockets.c > @@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress > *addr, Error **errp) > { > char *buf; > InetSocketAddress *inet; > - char host_port[INET6_ADDRSTRLEN + 5 + 4];
/me learnt about INET6_ADDRSTRLEN today. > switch (addr->type) { > case SOCKET_ADDRESS_KIND_INET: > inet = addr->u.inet.data; > if (strchr(inet->host, ':') == NULL) { > - snprintf(host_port, sizeof(host_port), "%s:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("%s:%s", inet->host, inet->port); > } else { > - snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("[%s]:%s", inet->host, inet->port); > } > break; > > Reviewed-by: Paolo Bonzini <pbonz...@redhat.com>