diff options
| author | Markus Armbruster <armbru@redhat.com> | 2013-02-06 21:27:14 +0100 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2013-02-06 16:35:17 -0600 |
| commit | 82e59a676c01b3df3b53998d428d0a64a55f2439 (patch) | |
| tree | c57a24a95c993f67f20b55a2d2510a06aacdcd1c /qapi-schema.json | |
| parent | 15af6321f4d1f90d0ae1b5cb05093c48b41c4533 (diff) | |
| download | qemu-82e59a676c01b3df3b53998d428d0a64a55f2439.tar.gz qemu-82e59a676c01b3df3b53998d428d0a64a55f2439.tar.bz2 qemu-82e59a676c01b3df3b53998d428d0a64a55f2439.zip | |
qmp: Fix design bug and read beyond buffer in memchar-write
Command memchar-write takes data and size parameter. Begs the
question what happens when data doesn't match size.
With format base64, qmp_memchar_write() copies the full data argument,
regardless of size argument.
With format utf8, qmp_memchar_write() copies size bytes from data,
happily reading beyond data. Copies crap from the heap or even
crashes.
Drop the size parameter, and always copy the full data argument.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'qapi-schema.json')
| -rw-r--r-- | qapi-schema.json | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/qapi-schema.json b/qapi-schema.json index cdd8384915..9e2cbbd1ae 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -346,8 +346,6 @@ # # @device: the name of the memory char device. # -# @size: the size to write in bytes. -# # @data: the source data write to memchar. # # @format: #optional the format of the data write to chardev 'memory', @@ -359,7 +357,7 @@ # Since: 1.4 ## { 'command': 'memchar-write', - 'data': {'device': 'str', 'size': 'int', 'data': 'str', + 'data': {'device': 'str', 'data': 'str', '*format': 'DataFormat'} } ## |