ShuriZma
/
xqemu
mirror of https://github.com/xqemu/xqemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

spapr_iommu: use g_strdup_printf() instead of snprintf() 

Passing a stack allocated buffer of arbitrary length to snprintf()
without checking the return value can cause the resultant strings
to be silently truncated.

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Greg Kurz 2017-07-25 19:58:40 +02:00 committed by David Gibson
parent 5c3d70e970
commit a205a053dc
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hw/ppc/spapr_iommu.c
View File

@ -252,17 +252,19 @@ static int spapr_tce_table_realize(DeviceState *dev)
{ {
sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev); sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev);
Object *tcetobj = OBJECT(tcet); Object *tcetobj = OBJECT(tcet);
char tmp[32]; gchar *tmp;
tcet->fd = -1; tcet->fd = -1;
tcet->need_vfio = false; tcet->need_vfio = false;
snprintf(tmp, sizeof(tmp), "tce-root-%x", tcet->liobn); tmp = g_strdup_printf("tce-root-%x", tcet->liobn);
memory_region_init(&tcet->root, tcetobj, tmp, UINT64_MAX); memory_region_init(&tcet->root, tcetobj, tmp, UINT64_MAX);
g_free(tmp);
snprintf(tmp, sizeof(tmp), "tce-iommu-%x", tcet->liobn); tmp = g_strdup_printf("tce-iommu-%x", tcet->liobn);
memory_region_init_iommu(&tcet->iommu, sizeof(tcet->iommu), memory_region_init_iommu(&tcet->iommu, sizeof(tcet->iommu),
TYPE_SPAPR_IOMMU_MEMORY_REGION, TYPE_SPAPR_IOMMU_MEMORY_REGION,
tcetobj, tmp, 0); tcetobj, tmp, 0);
g_free(tmp);
QLIST_INSERT_HEAD(&spapr_tce_tables, tcet, list); QLIST_INSERT_HEAD(&spapr_tce_tables, tcet, list);
@ -307,7 +309,7 @@ void spapr_tce_set_need_vfio(sPAPRTCETable *tcet, bool need_vfio)
sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn) sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn)
{ {
sPAPRTCETable *tcet; sPAPRTCETable *tcet;
char tmp[32]; gchar *tmp;
if (spapr_tce_find_by_liobn(liobn)) { if (spapr_tce_find_by_liobn(liobn)) {
error_report("Attempted to create TCE table with duplicate" error_report("Attempted to create TCE table with duplicate"
@ -318,8 +320,9 @@ sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn)
tcet = SPAPR_TCE_TABLE(object_new(TYPE_SPAPR_TCE_TABLE)); tcet = SPAPR_TCE_TABLE(object_new(TYPE_SPAPR_TCE_TABLE));
tcet->liobn = liobn; tcet->liobn = liobn;
snprintf(tmp, sizeof(tmp), "tce-table-%x", liobn); tmp = g_strdup_printf("tce-table-%x", liobn);
object_property_add_child(OBJECT(owner), tmp, OBJECT(tcet), NULL); object_property_add_child(OBJECT(owner), tmp, OBJECT(tcet), NULL);
g_free(tmp);
object_property_set_bool(OBJECT(tcet), true, "realized", NULL); object_property_set_bool(OBJECT(tcet), true, "realized", NULL);