File xen.850e89b3ef1a7be6b71fa7ae22333c884e08431a.patch of Package xen
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Thu, 5 Apr 2018 03:50:52 +0200
Subject: 850e89b3ef1a7be6b71fa7ae22333c884e08431a
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tools/blktap2: fix possible '\0' truncation
gcc-8 complains:
tapdisk-vbd.c: In function 'tapdisk_vbd_resume_ring':
tapdisk-vbd.c:1671:53: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=]
snprintf(params.name, sizeof(params.name) - 1, "%s", message);
^
tapdisk-vbd.c:1671:3: note: 'snprintf' output between 1 and 256 bytes into a destination of size 255
snprintf(params.name, sizeof(params.name) - 1, "%s", message);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The "- 1" in buffer size should be actually applied to message, to leave
place for terminating '\0', not the other way around (truncate '\0' even
if it would fit).
In function 'tapdisk_control_open_image',
inlined from 'tapdisk_control_handle_request' at tapdisk-control.c:660:10:
tapdisk-control.c:465:2: error: 'strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation]
strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'tapdisk_control_create_socket',
inlined from 'tapdisk_control_open' at tapdisk-control.c:836:9:
tapdisk-control.c:793:2: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation]
strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block-qcow.c: In function 'qcow_create':
block-qcow.c:1216:5: error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
strncpy(backing_filename, backing_file,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sizeof(backing_filename));
~~~~~~~~~~~~~~~~~~~~~~~~~
I those cases, reduce size of copied string and make sure final '\0' is
added.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Release-Acked-by: Juergen Gross <jgross@suse.com>
---
tools/blktap2/drivers/block-qcow.c | 3 ++-
tools/blktap2/drivers/tapdisk-control.c | 5 +++--
tools/blktap2/drivers/tapdisk-vbd.c | 3 ++-
3 files changed, 7 insertions(+), 4 deletions(-)
--- a/tools/blktap2/drivers/block-qcow.c
+++ b/tools/blktap2/drivers/block-qcow.c
@@ -1205,25 +1205,26 @@ int qcow_create(const char *filename, uint64_t total_size,
header_size = sizeof(header) + sizeof(QCowHeader_ext);
backing_filename_len = 0;
size = (total_size >> SECTOR_SHIFT);
if (backing_file) {
if (strcmp(backing_file, "fat:")) {
const char *p;
/* XXX: this is a hack: we do not attempt to
*check for URL like syntax */
p = strchr(backing_file, ':');
if (p && (p - backing_file) >= 2) {
/* URL like but exclude "c:" like filenames */
strncpy(backing_filename, backing_file,
- sizeof(backing_filename));
+ sizeof(backing_filename) - 1);
+ backing_filename[sizeof(backing_filename) - 1] = '\0';
} else {
if (realpath(backing_file, backing_filename) == NULL ||
stat(backing_filename, &st) != 0) {
return -1;
}
}
header.backing_file_offset = cpu_to_be64(header_size);
backing_filename_len = strlen(backing_filename);
header.backing_file_size = cpu_to_be32(
backing_filename_len);
header_size += backing_filename_len;
--- a/tools/blktap2/drivers/tapdisk-control.c
+++ b/tools/blktap2/drivers/tapdisk-control.c
@@ -453,25 +453,26 @@ tapdisk_control_open_image(struct tapdisk_control_connection *connection,
goto out;
err = tapdisk_vbd_open_stack(vbd, request->u.params.storage, flags);
if (err)
goto out;
err = tapdisk_vbd_get_image_info(vbd, &image);
if (err)
goto fail_close;
params.capacity = image.size;
params.sector_size = image.secsize;
- strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN);
+ strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN - 1);
+ params.name[BLKTAP2_MAX_MESSAGE_LEN - 1] = '\0';
err = ioctl(vbd->ring.fd, BLKTAP2_IOCTL_CREATE_DEVICE, ¶ms);
if (err && errno != EEXIST) {
err = -errno;
EPRINTF("create device failed: %d\n", err);
goto fail_close;
}
err = 0;
out:
memset(&response, 0, sizeof(response));
@@ -781,25 +782,25 @@ tapdisk_control_create_socket(char **socket_path)
EPRINTF("failed to unlink %s: %d\n", td_control.path, errno);
goto fail;
}
td_control.socket = socket(AF_UNIX, SOCK_STREAM, 0);
if (td_control.socket == -1) {
err = errno;
EPRINTF("failed to create control socket: %d\n", err);
goto fail;
}
memset(&saddr, 0, sizeof(saddr));
- strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path));
+ strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path) - 1);
saddr.sun_family = AF_UNIX;
err = bind(td_control.socket,
(const struct sockaddr *)&saddr, sizeof(saddr));
if (err == -1) {
err = errno;
EPRINTF("failed to bind to %s: %d\n", saddr.sun_path, err);
goto fail;
}
err = listen(td_control.socket, 10);
if (err == -1) {
--- a/tools/blktap2/drivers/tapdisk-vbd.c
+++ b/tools/blktap2/drivers/tapdisk-vbd.c
@@ -1659,25 +1659,26 @@ tapdisk_vbd_resume_ring(td_vbd_t *vbd)
}
out:
if (!err) {
image_t image;
struct blktap2_params params;
memset(¶ms, 0, sizeof(params));
tapdisk_vbd_get_image_info(vbd, &image);
params.sector_size = image.secsize;
params.capacity = image.size;
- snprintf(params.name, sizeof(params.name) - 1, "%s", message);
+ snprintf(params.name, sizeof(params.name),
+ "%.*s", (int)sizeof(params.name) - 1, message);
ioctl(vbd->ring.fd, BLKTAP2_IOCTL_SET_PARAMS, ¶ms);
td_flag_clear(vbd->state, TD_VBD_PAUSED);
}
ioctl(vbd->ring.fd, BLKTAP2_IOCTL_RESUME, err);
return err;
}
static int
tapdisk_vbd_check_ring_message(td_vbd_t *vbd)
{