Richard W.M. Jones
2010-Jun-01 15:21 UTC
[Libguestfs] [PATCH] daemon: write-file: Check range of size parameter (RHBZ#597135).
-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora -------------- next part -------------->From 256f39edaac0c83eb428c8c212586ebd750cbfc2 Mon Sep 17 00:00:00 2001From: Richard Jones <rjones at redhat.com> Date: Tue, 1 Jun 2010 16:18:53 +0100 Subject: [PATCH 2/2] daemon: write-file: Check range of size parameter (RHBZ#597135). This also adds a regression test. --- daemon/file.c | 23 ++++++++++++++++++++++- src/generator.ml | 4 +++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/daemon/file.c b/daemon/file.c index aca1caa..7600064 100644 --- a/daemon/file.c +++ b/daemon/file.c @@ -288,8 +288,29 @@ do_write_file (const char *path, const char *content, int size) { int fd; + /* This call is deprecated, and it has a broken interface. New code + * should use the 'guestfs_write' call instead. Because we used an + * XDR string type, 'content' cannot contain ASCII NUL and 'size' + * must never be longer than the string. We must check this to + * ensure random stuff from XDR or daemon memory isn't written to + * the file (RHBZ#597135). + */ + if (size < 0) { + reply_with_error ("size cannot be negative"); + return -1; + } + + /* Note content_len must be small because of the limits on protocol + * message size. + */ + int content_len = (int) strlen (content); + if (size == 0) - size = strlen (content); + size = content_len; + else if (size > content_len) { + reply_with_error ("size parameter is larger than string content"); + return -1; + } CHROOT_IN; fd = open (path, O_WRONLY | O_TRUNC | O_CREAT | O_NOCTTY, 0666); diff --git a/src/generator.ml b/src/generator.ml index ff772f5..2c33049 100755 --- a/src/generator.ml +++ b/src/generator.ml @@ -1543,7 +1543,9 @@ See also: C<guestfs_sfdisk_l>, C<guestfs_sfdisk_N>, C<guestfs_part_init>"); ("write_file", (RErr, [Pathname "path"; String "content"; Int "size"]), 44, [ProtocolLimitWarning; DeprecatedBy "write"], - [], + (* Regression test for RHBZ#597135. *) + [InitBasicFS, Always, TestLastFail + [["write_file"; "/new"; "abc"; "10000"]]], "create a file", "\ This call creates a file called C<path>. The contents of the -- 1.6.6.1
Matthew Booth
2010-Jun-02 12:46 UTC
[Libguestfs] [PATCH] daemon: write-file: Check range of size parameter (RHBZ#597135).
On 01/06/10 16:21, Richard W.M. Jones wrote:>> From 256f39edaac0c83eb428c8c212586ebd750cbfc2 Mon Sep 17 00:00:00 2001 > From: Richard Jones<rjones at redhat.com> > Date: Tue, 1 Jun 2010 16:18:53 +0100 > Subject: [PATCH 2/2] daemon: write-file: Check range of size parameter (RHBZ#597135). > > This also adds a regression test. > --- > daemon/file.c | 23 ++++++++++++++++++++++- > src/generator.ml | 4 +++- > 2 files changed, 25 insertions(+), 2 deletions(-)ACK. Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
Possibly Parallel Threads
- [PATCH 0/12] Add support for writing to hive files
- [PATCH 0/4] Fix RHBZ#597112 (get-e2uuid command)
- [PATCH REBASED] Remove main loop
- [PATCH 0/2] Use link-local addresses when communicating between appliance and host (RHBZ#588763)
- [PATCH 0/3] 3 small code fixes