diff mbox

qdict: fix unbounded stack for qdict_array_entries

Message ID 1457503418-31299-1-git-send-email-peterx@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Peter Xu March 9, 2016, 6:03 a.m. UTC
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 qobject/qdict.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

Comments

Peter Xu March 10, 2016, 1:36 a.m. UTC | #1
Sorry to forgot CCing Eric/Markus/Kevin.

This patch title is not correct, which should be:

"Fix unbounded stack warning for qdict_array_entries"

Do I need to re-send with the same content?

I'm using g_strdup_printf() here, considering it's most convenient,
safe, and as long as it's called rarely only when quorum device
opens.

Thanks.
Peter

On Wed, Mar 09, 2016 at 02:03:38PM +0800, Peter Xu wrote:
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  qobject/qdict.c | 15 ++++++---------
>  1 file changed, 6 insertions(+), 9 deletions(-)
> 
> diff --git a/qobject/qdict.c b/qobject/qdict.c
> index 9833bd0..9188a87 100644
> --- a/qobject/qdict.c
> +++ b/qobject/qdict.c
> @@ -704,19 +704,16 @@ int qdict_array_entries(QDict *src, const char *subqdict)
>      for (i = 0; i < INT_MAX; i++) {
>          QObject *subqobj;
>          int subqdict_entries;
> -        size_t slen = 32 + subqdict_len;
> -        char indexstr[slen], prefix[slen];
> -        size_t snprintf_ret;
> +        char *prefix = g_strdup_printf("%s%u.", subqdict, i);
>  
> -        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
> -        assert(snprintf_ret < slen);
> +        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
>  
> -        subqobj = qdict_get(src, indexstr);
> +        /* Remove ending "." */
> +        prefix[strlen(prefix) - 1] = 0x00;
> +        subqobj = qdict_get(src, prefix);
>  
> -        snprintf_ret = snprintf(prefix, slen, "%s%u.", subqdict, i);
> -        assert(snprintf_ret < slen);
> +        g_free(prefix);
>  
> -        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
>          if (subqdict_entries < 0) {
>              return subqdict_entries;
>          }
> -- 
> 2.4.3
>
Eric Blake March 21, 2016, 8:58 p.m. UTC | #2
On 03/09/2016 06:36 PM, Peter Xu wrote:
> Sorry to forgot CCing Eric/Markus/Kevin.
> 
> This patch title is not correct, which should be:
> 
> "Fix unbounded stack warning for qdict_array_entries"

Keep the 'qdict:' prefix, but yes, adding "warning" helps the commit
message.

> 
> Do I need to re-send with the same content?

For just the title adjustment, it's up to the maintainer.  Often, a
maintainer will make small changes like that before sending a pull request.

> 
> I'm using g_strdup_printf() here, considering it's most convenient,
> safe, and as long as it's called rarely only when quorum device
> opens.

On the other hand, this information might have been useful...

> 
> Thanks.
> Peter
> 
> On Wed, Mar 09, 2016 at 02:03:38PM +0800, Peter Xu wrote:
>> Signed-off-by: Peter Xu <peterx@redhat.com>

...in the commit body proper (explaining why you are always allocating,
because it is not a hot path).  So a v2 might indeed be easier.

>> +++ b/qobject/qdict.c
>> @@ -704,19 +704,16 @@ int qdict_array_entries(QDict *src, const char *subqdict)
>>      for (i = 0; i < INT_MAX; i++) {
>>          QObject *subqobj;
>>          int subqdict_entries;
>> -        size_t slen = 32 + subqdict_len;
>> -        char indexstr[slen], prefix[slen];
>> -        size_t snprintf_ret;
>> +        char *prefix = g_strdup_printf("%s%u.", subqdict, i);

If we were worried that this could be a hot path, you could add a %n and
&len here...

>>  
>> -        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
>> -        assert(snprintf_ret < slen);
>> +        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
>>  
>> -        subqobj = qdict_get(src, indexstr);
>> +        /* Remove ending "." */
>> +        prefix[strlen(prefix) - 1] = 0x00;

...to avoid the strlen() call here.  But this is not a hot path, and %n
always makes me worry about security, so I'm fine with your approach.

However, 0x00 is a rather verbose way of writing 0 (and even if you want
verbosity, '\0' is more idiomatic 0x00).

At this point, if you send a v2 with s/0x00/0/ and the improved commit
message, you can also include:
Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Xu March 22, 2016, 2:25 a.m. UTC | #3
On Mon, Mar 21, 2016 at 02:58:25PM -0600, Eric Blake wrote:
> On 03/09/2016 06:36 PM, Peter Xu wrote:
> > Sorry to forgot CCing Eric/Markus/Kevin.
> > 
> > This patch title is not correct, which should be:
> > 
> > "Fix unbounded stack warning for qdict_array_entries"
> 
> Keep the 'qdict:' prefix, but yes, adding "warning" helps the commit
> message.
> 
> > 
> > Do I need to re-send with the same content?
> 
> For just the title adjustment, it's up to the maintainer.  Often, a
> maintainer will make small changes like that before sending a pull request.
> 
> > 
> > I'm using g_strdup_printf() here, considering it's most convenient,
> > safe, and as long as it's called rarely only when quorum device
> > opens.
> 
> On the other hand, this information might have been useful...
> 
> > 
> > Thanks.
> > Peter
> > 
> > On Wed, Mar 09, 2016 at 02:03:38PM +0800, Peter Xu wrote:
> >> Signed-off-by: Peter Xu <peterx@redhat.com>
> 
> ...in the commit body proper (explaining why you are always allocating,
> because it is not a hot path).  So a v2 might indeed be easier.
> 
> >> +++ b/qobject/qdict.c
> >> @@ -704,19 +704,16 @@ int qdict_array_entries(QDict *src, const char *subqdict)
> >>      for (i = 0; i < INT_MAX; i++) {
> >>          QObject *subqobj;
> >>          int subqdict_entries;
> >> -        size_t slen = 32 + subqdict_len;
> >> -        char indexstr[slen], prefix[slen];
> >> -        size_t snprintf_ret;
> >> +        char *prefix = g_strdup_printf("%s%u.", subqdict, i);
> 
> If we were worried that this could be a hot path, you could add a %n and
> &len here...
> 
> >>  
> >> -        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
> >> -        assert(snprintf_ret < slen);
> >> +        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
> >>  
> >> -        subqobj = qdict_get(src, indexstr);
> >> +        /* Remove ending "." */
> >> +        prefix[strlen(prefix) - 1] = 0x00;
> 
> ...to avoid the strlen() call here.  But this is not a hot path, and %n
> always makes me worry about security, so I'm fine with your approach.
> 
> However, 0x00 is a rather verbose way of writing 0 (and even if you want
> verbosity, '\0' is more idiomatic 0x00).
> 
> At this point, if you send a v2 with s/0x00/0/ and the improved commit
> message, you can also include:
> Reviewed-by: Eric Blake <eblake@redhat.com>

Will respin just like above, and with you r-b. Thanks!

-- peterx
diff mbox

Patch

diff --git a/qobject/qdict.c b/qobject/qdict.c
index 9833bd0..9188a87 100644
--- a/qobject/qdict.c
+++ b/qobject/qdict.c
@@ -704,19 +704,16 @@  int qdict_array_entries(QDict *src, const char *subqdict)
     for (i = 0; i < INT_MAX; i++) {
         QObject *subqobj;
         int subqdict_entries;
-        size_t slen = 32 + subqdict_len;
-        char indexstr[slen], prefix[slen];
-        size_t snprintf_ret;
+        char *prefix = g_strdup_printf("%s%u.", subqdict, i);
 
-        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
-        assert(snprintf_ret < slen);
+        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
 
-        subqobj = qdict_get(src, indexstr);
+        /* Remove ending "." */
+        prefix[strlen(prefix) - 1] = 0x00;
+        subqobj = qdict_get(src, prefix);
 
-        snprintf_ret = snprintf(prefix, slen, "%s%u.", subqdict, i);
-        assert(snprintf_ret < slen);
+        g_free(prefix);
 
-        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
         if (subqdict_entries < 0) {
             return subqdict_entries;
         }