[PATCH v7.2.3 01/30] vnc: avoid underflow when accessing user-provided a

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v7.2.3 01/30] vnc: avoid underflow when accessing user-provided a

From:	Michael Tokarev
Subject:	[PATCH v7.2.3 01/30] vnc: avoid underflow when accessing user-provided address
Date:	Wed, 17 May 2023 12:10:13 +0300

From: Paolo Bonzini <pbonzini@redhat.com>

If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line.  If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.

Fix it by checking hostlen.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 88f55cbf3c..1856d57380 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr,
 
         addr->type = SOCKET_ADDRESS_TYPE_INET;
         inet = &addr->u.inet;
-        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+        if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
             inet->host = g_strndup(addrstr + 1, hostlen - 2);
         } else {
             inet->host = g_strndup(addrstr, hostlen);
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v7.2.3 00/30] Patch Round-up for stable 7.2.3, freeze on 2023-05-27, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 02/30] target/i386: Change wrong XFRM value in SGX CPUID leaf, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 04/30] qemu-options: finesse the recommendations around -blockdev, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 05/30] docs/about/deprecated.rst: Add "since 7.1" tag to dtb-kaslr-seed deprecation, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 06/30] target/arm: Initialize debug capabilities only once, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 07/30] hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 01/30] vnc: avoid underflow when accessing user-provided address, Michael Tokarev <=
- [PATCH v7.2.3 08/30] hw/arm/boot: Make write_bootloader() public as arm_write_bootloader(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 03/30] acpi: pcihp: allow repeating hot-unplug requests, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 10/30] hw/arm/raspi: Use arm_write_bootloader() to write boot code, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 09/30] hw/arm/aspeed: Use arm_write_bootloader() to write the bootloader, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 13/30] hw/sd/allwinner-sdhost: Correctly byteswap descriptor fields, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 14/30] hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 12/30] target/arm: Define and use new load_cpu_field_low32(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 11/30] hw/intc/allwinner-a10-pic: Don't use set_bit()/clear_bit(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 20/30] ui: Fix pixel colour channel order for PNG screenshots, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 19/30] accel/tcg: Fix atomic_mmu_lookup for reads, Michael Tokarev, 2023/05/17

Prev by Date: [PATCH v7.2.3 07/30] hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc()
Next by Date: [PATCH v7.2.3 08/30] hw/arm/boot: Make write_bootloader() public as arm_write_bootloader()
Previous by thread: [PATCH v7.2.3 07/30] hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc()
Next by thread: [PATCH v7.2.3 08/30] hw/arm/boot: Make write_bootloader() public as arm_write_bootloader()
Index(es):
- Date
- Thread