From: Prasad J Pandit <p...@fedoraproject.org> Qemu guest agent while executing user commands does not seem to check length of argument list and/or environment variables passed. It may lead to integer overflow or infinite loop issues. Add check to avoid it.
Reported-by: Niu Guoxiang <niuguoxi...@huawei.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- qga/commands.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/qga/commands.c b/qga/commands.c index 0c7d1385c2..6d684ef209 100644 --- a/qga/commands.c +++ b/qga/commands.c @@ -231,17 +231,22 @@ static char **guest_exec_get_args(const strList *entry, bool log) int count = 1, i = 0; /* reserve for NULL terminator */ char **args; char *str; /* for logging array of arguments */ - size_t str_size = 1; + size_t str_size = 1, args_max; + args_max = sysconf(_SC_ARG_MAX); for (it = entry; it != NULL; it = it->next) { count++; str_size += 1 + strlen(it->value); + if (str_size >= args_max / 2 + || count >= args_max / sizeof(char *)) { + break; + } } str = g_malloc(str_size); *str = 0; args = g_malloc(count * sizeof(char *)); - for (it = entry; it != NULL; it = it->next) { + for (it = entry; it != NULL && i < count; it = it->next) { args[i++] = it->value; pstrcat(str, str_size, it->value); if (it->next) { -- 2.20.1