summaryrefslogtreecommitdiff
path: root/hmp.c
diff options
context:
space:
mode:
authorMarkus Armbruster <armbru@redhat.com>2013-02-06 21:27:14 +0100
committerAnthony Liguori <aliguori@us.ibm.com>2013-02-06 16:35:17 -0600
commit82e59a676c01b3df3b53998d428d0a64a55f2439 (patch)
treec57a24a95c993f67f20b55a2d2510a06aacdcd1c /hmp.c
parent15af6321f4d1f90d0ae1b5cb05093c48b41c4533 (diff)
downloadqemu-82e59a676c01b3df3b53998d428d0a64a55f2439.tar.gz
qemu-82e59a676c01b3df3b53998d428d0a64a55f2439.tar.bz2
qemu-82e59a676c01b3df3b53998d428d0a64a55f2439.zip
qmp: Fix design bug and read beyond buffer in memchar-write
Command memchar-write takes data and size parameter. Begs the question what happens when data doesn't match size. With format base64, qmp_memchar_write() copies the full data argument, regardless of size argument. With format utf8, qmp_memchar_write() copies size bytes from data, happily reading beyond data. Copies crap from the heap or even crashes. Drop the size parameter, and always copy the full data argument. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hmp.c')
-rw-r--r--hmp.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/hmp.c b/hmp.c
index 1689e6f1fd..9fdf1ce516 100644
--- a/hmp.c
+++ b/hmp.c
@@ -664,13 +664,11 @@ void hmp_pmemsave(Monitor *mon, const QDict *qdict)
void hmp_memchar_write(Monitor *mon, const QDict *qdict)
{
- uint32_t size;
const char *chardev = qdict_get_str(qdict, "device");
const char *data = qdict_get_str(qdict, "data");
Error *errp = NULL;
- size = strlen(data);
- qmp_memchar_write(chardev, size, data, false, 0, &errp);
+ qmp_memchar_write(chardev, data, false, 0, &errp);
hmp_handle_error(mon, &errp);
}