diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-02-03 10:50:06 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-02-03 10:50:06 +0000 |
| commit | ad9e1dab20253441716b769500d4c63bc39b0d51 (patch) | |
| tree | 57ccddbc02a6c706c89ff44f78ee62f65f9d397c /hmp.c | |
| parent | c65db7705b7926f4a084b93778e4bd5dd3990aad (diff) | |
| parent | 64ffbe04eaafebf4045a3ace52a360c14959d196 (diff) | |
Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2016-02-03' into staging
Monitor patches for 2016-02-03
# gpg: Signature made Wed 03 Feb 2016 09:13:48 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"
* remotes/armbru/tags/pull-monitor-2016-02-03:
hmp: fix sendkey out of bounds write (CVE-2015-8619)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hmp.c')
| -rw-r--r-- | hmp.c | 18 |
1 files changed, 8 insertions, 10 deletions
@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) int has_hold_time = qdict_haskey(qdict, "hold-time"); int hold_time = qdict_get_try_int(qdict, "hold-time", -1); Error *err = NULL; - char keyname_buf[16]; char *separator; int keyname_len; while (1) { separator = strchr(keys, '-'); keyname_len = separator ? separator - keys : strlen(keys); - pstrcpy(keyname_buf, sizeof(keyname_buf), keys); /* Be compatible with old interface, convert user inputted "<" */ - if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { - pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); + if (keys[0] == '<' && keyname_len == 1) { + keys = "less"; keyname_len = 4; } - keyname_buf[keyname_len] = 0; keylist = g_malloc0(sizeof(*keylist)); keylist->value = g_malloc0(sizeof(*keylist->value)); @@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) } tmp = keylist; - if (strstart(keyname_buf, "0x", NULL)) { + if (strstart(keys, "0x", NULL)) { char *endp; - int value = strtoul(keyname_buf, &endp, 0); - if (*endp != '\0') { + int value = strtoul(keys, &endp, 0); + assert(endp <= keys + keyname_len); + if (endp != keys + keyname_len) { goto err_out; } keylist->value->type = KEY_VALUE_KIND_NUMBER; keylist->value->u.number = value; } else { - int idx = index_from_key(keyname_buf); + int idx = index_from_key(keys, keyname_len); if (idx == Q_KEY_CODE__MAX) { goto err_out; } @@ -1789,7 +1787,7 @@ out: return; err_out: - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); + monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); goto out; } |