Re: [PATCH] vnc: avoid underflow when accessing user-provided address

[Vladimir Sementsov-Ogievskiy]

On 30.03.23 15:44, Paolo Bonzini wrote:

If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line.  If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.

Fix it by checking hostlen.

Reported by Coverity.

Signed-off-by: Paolo Bonzini


I've already sent a similar patch, yes, but let's finally merge any:)

Reviewed-by: Vladimir Sementsov-Ogievskiy 

--
Best regards,
Vladimir

Re: [PATCH] vnc: avoid underflow when accessing user-provided address

[Philippe Mathieu-Daudé]

On 30/3/23 14:44, Paolo Bonzini wrote:

If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line.  If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.

Fix it by checking hostlen.

Reported by Coverity.


Also by Vladimir Sementsov-Ogievskiy few months ago:
https://lore.kernel.org/qemu-devel/20221206192334.65012-1-vsement...@yandex-team.ru/



Signed-off-by: Paolo Bonzini 
---
  ui/vnc.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index bbd8b6baaeca..9d8a24dd8a69 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr,
  
  addr->type = SOCKET_ADDRESS_TYPE_INET;

  inet = >u.inet;
-if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
  inet->host = g_strndup(addrstr + 1, hostlen - 2);
  } else {
  inet->host = g_strndup(addrstr, hostlen);