Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entr

From:	Eric Blake
Subject:	Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries
Date:	Mon, 21 Mar 2016 14:58:25 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

On 03/09/2016 06:36 PM, Peter Xu wrote:
> Sorry to forgot CCing Eric/Markus/Kevin.
> 
> This patch title is not correct, which should be:
> 
> "Fix unbounded stack warning for qdict_array_entries"

Keep the 'qdict:' prefix, but yes, adding "warning" helps the commit
message.

> 
> Do I need to re-send with the same content?

For just the title adjustment, it's up to the maintainer.  Often, a
maintainer will make small changes like that before sending a pull request.

> 
> I'm using g_strdup_printf() here, considering it's most convenient,
> safe, and as long as it's called rarely only when quorum device
> opens.

On the other hand, this information might have been useful...

> 
> Thanks.
> Peter
> 
> On Wed, Mar 09, 2016 at 02:03:38PM +0800, Peter Xu wrote:
>> Signed-off-by: Peter Xu <address@hidden>

...in the commit body proper (explaining why you are always allocating,
because it is not a hot path).  So a v2 might indeed be easier.

>> +++ b/qobject/qdict.c
>> @@ -704,19 +704,16 @@ int qdict_array_entries(QDict *src, const char 
>> *subqdict)
>>      for (i = 0; i < INT_MAX; i++) {
>>          QObject *subqobj;
>>          int subqdict_entries;
>> -        size_t slen = 32 + subqdict_len;
>> -        char indexstr[slen], prefix[slen];
>> -        size_t snprintf_ret;
>> +        char *prefix = g_strdup_printf("%s%u.", subqdict, i);

If we were worried that this could be a hot path, you could add a %n and
&len here...

>>  
>> -        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
>> -        assert(snprintf_ret < slen);
>> +        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
>>  
>> -        subqobj = qdict_get(src, indexstr);
>> +        /* Remove ending "." */
>> +        prefix[strlen(prefix) - 1] = 0x00;

...to avoid the strlen() call here.  But this is not a hot path, and %n
always makes me worry about security, so I'm fine with your approach.

However, 0x00 is a rather verbose way of writing 0 (and even if you want
verbosity, '\0' is more idiomatic 0x00).

At this point, if you send a v2 with s/0x00/0/ and the improved commit
message, you can also include:
Reviewed-by: Eric Blake <address@hidden>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries, Peter Xu, 2016/03/09
- Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries, Peter Xu, 2016/03/09
  - Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries, Eric Blake <=
    - Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries, Peter Xu, 2016/03/21

Prev by Date: [Qemu-devel] [PULL v2 23/40] ivshmem: Disentangle ivshmem_read()
Next by Date: Re: [Qemu-devel] (no subject)
Previous by thread: Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries
Next by thread: Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries
Index(es):
- Date
- Thread