diff options
| author | Markus Armbruster <armbru@redhat.com> | 2017-03-23 12:23:28 +0100 |
|---|---|---|
| committer | Markus Armbruster <armbru@redhat.com> | 2017-03-28 18:50:38 +0200 |
| commit | 44fdc764550e048a2810955da7cabbfaf636231a (patch) | |
| tree | 795aa3a6d961f58f0544f3bfb8397400dcd16ec8 /rules.mak | |
| parent | 4d2bee82f4276b6f694fa2b0b179b4b3673984f6 (diff) | |
sockets: Fix socket_address_to_string() hostname truncation
We first snprintf() to a fixed buffer, then g_strdup() the result
*boggle*.
Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus:
the 4 correctly accounts for '[', ']', ':' and '\0', but
INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not
one for inet->port! They are for host and port in *numeric* form
(exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host
can also be a hostname, and inet->port can be a service name, to be
resolved with getaddrinfo().
Fortunately, the only user so far is the "socket" network backend's
net_socket_connected(), which uses it to initialize a NetSocketState's
info_str[]. info_str[] has considerable more space: 256 instead of
55. So the bug's impact appears to be limited to truncated "info
networks" with the "socket" network backend.
The fix is obvious: use g_strdup_printf().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1490268208-23368-1-git-send-email-armbru@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'rules.mak')
0 files changed, 0 insertions, 0 deletions