diff options
| author | Wolfgang Bumiller <w.bumiller@proxmox.com> | 2016-01-13 09:09:58 +0100 |
|---|---|---|
| committer | Markus Armbruster <armbru@redhat.com> | 2016-02-03 10:13:06 +0100 |
| commit | 64ffbe04eaafebf4045a3ace52a360c14959d196 (patch) | |
| tree | 57ccddbc02a6c706c89ff44f78ee62f65f9d397c /hmp.c | |
| parent | c65db7705b7926f4a084b93778e4bd5dd3990aad (diff) | |
| download | qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.gz qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.bz2 qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.zip | |
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Diffstat (limited to 'hmp.c')
| -rw-r--r-- | hmp.c | 18 |
1 files changed, 8 insertions, 10 deletions
@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) int has_hold_time = qdict_haskey(qdict, "hold-time"); int hold_time = qdict_get_try_int(qdict, "hold-time", -1); Error *err = NULL; - char keyname_buf[16]; char *separator; int keyname_len; while (1) { separator = strchr(keys, '-'); keyname_len = separator ? separator - keys : strlen(keys); - pstrcpy(keyname_buf, sizeof(keyname_buf), keys); /* Be compatible with old interface, convert user inputted "<" */ - if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { - pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); + if (keys[0] == '<' && keyname_len == 1) { + keys = "less"; keyname_len = 4; } - keyname_buf[keyname_len] = 0; keylist = g_malloc0(sizeof(*keylist)); keylist->value = g_malloc0(sizeof(*keylist->value)); @@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) } tmp = keylist; - if (strstart(keyname_buf, "0x", NULL)) { + if (strstart(keys, "0x", NULL)) { char *endp; - int value = strtoul(keyname_buf, &endp, 0); - if (*endp != '\0') { + int value = strtoul(keys, &endp, 0); + assert(endp <= keys + keyname_len); + if (endp != keys + keyname_len) { goto err_out; } keylist->value->type = KEY_VALUE_KIND_NUMBER; keylist->value->u.number = value; } else { - int idx = index_from_key(keyname_buf); + int idx = index_from_key(keys, keyname_len); if (idx == Q_KEY_CODE__MAX) { goto err_out; } @@ -1789,7 +1787,7 @@ out: return; err_out: - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); + monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); goto out; } |