qmp: Fix design bug and read beyond buffer in memchar-write (82e59a67) · Commits · Anton / libtcg

Commit 82e59a67 authored 12 years ago by Markus Armbruster Committed by Anthony Liguori 12 years ago

qmp: Fix design bug and read beyond buffer in memchar-write


Command memchar-write takes data and size parameter.  Begs the
question what happens when data doesn't match size.

With format base64, qmp_memchar_write() copies the full data argument,
regardless of size argument.

With format utf8, qmp_memchar_write() copies size bytes from data,
happily reading beyond data.  Copies crap from the heap or even
crashes.

Drop the size parameter, and always copy the full data argument.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

parent 15af6321

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 6 additions and 14 deletions

Please register or to comment