On 18/12/18 20:33, Eric Blake wrote: >> diff --git a/migration/global_state.c b/migration/global_state.c >> index 6e19333422..c19030ef62 100644 >> --- a/migration/global_state.c >> +++ b/migration/global_state.c >> @@ -106,7 +106,7 @@ static int global_state_pre_save(void *opaque) >> GlobalState *s = opaque; >> trace_migrate_global_state_pre_save((char *)s->runstate); >> - s->size = strlen((char *)s->runstate) + 1; > > The old code sets s->size to the string length + space for the NUL byte > (by assuming that a NUL byte was present), and accidentally sets it > beyond the s->runstate array if there was no NUL byte (our existing > runstate names are shorter than 100 bytes, so this could only happen on > a malicious stream).
It cannot---this is a pre_save hook. A possible overflow bug exists, but it is in the call to qapi_enum_parse. Paolo
