From patchwork Wed Oct 5 09:33:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 9362683 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8A46A600C8 for ; Wed, 5 Oct 2016 09:34:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7B2F328664 for ; Wed, 5 Oct 2016 09:34:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6E2B028745; Wed, 5 Oct 2016 09:34:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1D12628664 for ; Wed, 5 Oct 2016 09:34:18 +0000 (UTC) Received: from localhost ([::1]:47432 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1briaf-0003M5-8C for patchwork-qemu-devel@patchwork.kernel.org; Wed, 05 Oct 2016 05:34:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42752) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bria9-0003JM-W3 for qemu-devel@nongnu.org; Wed, 05 Oct 2016 05:33:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bria5-0006ea-QW for qemu-devel@nongnu.org; Wed, 05 Oct 2016 05:33:44 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38186) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bria5-0006eC-K2 for qemu-devel@nongnu.org; Wed, 05 Oct 2016 05:33:41 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 74DFD338842 for ; Wed, 5 Oct 2016 09:33:40 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-39.ams2.redhat.com [10.36.116.39]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u959XdXT006322; Wed, 5 Oct 2016 05:33:40 -0400 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id C6A6C80A81; Wed, 5 Oct 2016 11:33:38 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Wed, 5 Oct 2016 11:33:18 +0200 Message-Id: <1475659998-22045-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 05 Oct 2016 09:33:40 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] usb: fix serial generator X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP snprintf return value is *not* the number of chars written into the buffer, but the number of chars needed. So in case the buffer is too small you can go alloc a bigger one and try again. But that also means you can't simply use the return value for the next snprintf call without checking beforehand that things did actually fit. Problem is that usb_desc_create_serial didn't perform that check, so a loooong path string (can happen with deep pci-bridge nesting) results in the third snprintf call smashing the stack. Fix this by throwing out all the snpintf calls and use g_strdup_printf instead. https://bugzilla.redhat.com/show_bug.cgi?id=1381630 Reported-by: Thomas Huth Signed-off-by: Gerd Hoffmann Reviewed-by: Thomas Huth Reviewed-by: Eric Blake --- hw/usb/desc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hw/usb/desc.c b/hw/usb/desc.c index 5e0e1d1..7828e52 100644 --- a/hw/usb/desc.c +++ b/hw/usb/desc.c @@ -556,9 +556,7 @@ void usb_desc_create_serial(USBDevice *dev) DeviceState *hcd = dev->qdev.parent_bus->parent; const USBDesc *desc = usb_device_get_usb_desc(dev); int index = desc->id.iSerialNumber; - char serial[64]; - char *path; - int dst; + char *path, *serial; if (dev->serial) { /* 'serial' usb bus property has priority if present */ @@ -567,14 +565,16 @@ void usb_desc_create_serial(USBDevice *dev) } assert(index != 0 && desc->str[index] != NULL); - dst = snprintf(serial, sizeof(serial), "%s", desc->str[index]); path = qdev_get_dev_path(hcd); if (path) { - dst += snprintf(serial+dst, sizeof(serial)-dst, "-%s", path); + serial = g_strdup_printf("%s-%s-%s", desc->str[index], + path, dev->port->path); + } else { + serial = g_strdup_printf("%s-%s", desc->str[index], dev->port->path); } - dst += snprintf(serial+dst, sizeof(serial)-dst, "-%s", dev->port->path); usb_desc_set_string(dev, index, serial); g_free(path); + g_free(serial); } const char *usb_desc_get_string(USBDevice *dev, uint8_t index)