ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

spapr_drc: use g_strdup_printf() instead of snprintf() 

Passing a stack allocated buffer of arbitrary length to snprintf()
without checking the return value can cause the resultant strings
to be silently truncated.

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Greg Kurz 2017-07-25 19:58:53 +02:00 committed by David Gibson
parent a205a053dc
commit f5babeacc4
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hw/ppc/spapr_drc.c
View File

@ -492,7 +492,7 @@ static void realize(DeviceState *d, Error **errp)
{ {
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d); sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
Object *root_container; Object *root_container;
char link_name[256]; gchar *link_name;
gchar *child_name; gchar *child_name;
Error *err = NULL; Error *err = NULL;
@ -505,12 +505,13 @@ static void realize(DeviceState *d, Error **errp)
* existing in the composition tree * existing in the composition tree
*/ */
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH); root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc)); link_name = g_strdup_printf("%x", spapr_drc_index(drc));
child_name = object_get_canonical_path_component(OBJECT(drc)); child_name = object_get_canonical_path_component(OBJECT(drc));
trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name); trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
object_property_add_alias(root_container, link_name, object_property_add_alias(root_container, link_name,
drc->owner, child_name, &err); drc->owner, child_name, &err);
g_free(child_name); g_free(child_name);
g_free(link_name);
if (err) { if (err) {
error_propagate(errp, err); error_propagate(errp, err);
return; return;
@ -525,14 +526,15 @@ static void unrealize(DeviceState *d, Error **errp)
{ {
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d); sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
Object *root_container; Object *root_container;
char name[256]; gchar *name;
trace_spapr_drc_unrealize(spapr_drc_index(drc)); trace_spapr_drc_unrealize(spapr_drc_index(drc));
qemu_unregister_reset(drc_reset, drc); qemu_unregister_reset(drc_reset, drc);
vmstate_unregister(DEVICE(drc), &vmstate_spapr_drc, drc); vmstate_unregister(DEVICE(drc), &vmstate_spapr_drc, drc);
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH); root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
snprintf(name, sizeof(name), "%x", spapr_drc_index(drc)); name = g_strdup_printf("%x", spapr_drc_index(drc));
object_property_del(root_container, name, errp); object_property_del(root_container, name, errp);
g_free(name);
} }
sPAPRDRConnector *spapr_dr_connector_new(Object *owner, const char *type, sPAPRDRConnector *spapr_dr_connector_new(Object *owner, const char *type,
@ -730,10 +732,11 @@ static const TypeInfo spapr_drc_lmb_info = {
sPAPRDRConnector *spapr_drc_by_index(uint32_t index) sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
{ {
Object *obj; Object *obj;
char name[256]; gchar *name;
snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index); name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
obj = object_resolve_path(name, NULL); obj = object_resolve_path(name, NULL);
g_free(name);
return !obj ? NULL : SPAPR_DR_CONNECTOR(obj); return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
} }