libvirt/xend-content-buf-fix.patch

commit b1eb7f2e987d21b1711e86e5cb63a69abfce82f1
Author: Jim Fehlig <jfehlig@linux-ypgk.site>
Date:   Fri Jun 4 10:04:03 2010 -0600

    Fixes for commit 211dd1e9
    
    Fixes for issues in commit 211dd1e9 noted by by Jim Meyering.
    
    1. Allocate content buffer of size content_length + 1 to ensure
       NUL-termination.
    2. Limit content buffer size to 64k
    3. Fix whitespace issue
    
    V2:
      - Add comment to clarify allocation of content buffer
      - Add ATTRIBUTE_NONNULL where appropriate
      - User NULLSTR macro

diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c
index 0c1a738..51cad92 100644
--- a/src/xen/xend_internal.c
+++ b/src/xen/xend_internal.c
@@ -68,6 +68,7 @@
 # define XEND_CONFIG_MIN_VERS_PVFB_NEWCONF 3
 #endif
 
+#define XEND_RCV_BUF_MAX_LEN 65536
 
 #ifndef PROXY
 static int
@@ -310,7 +311,7 @@ istartswith(const char *haystack, const char *needle)
  * Returns the HTTP return code and @content is set to the
  * allocated memory containing HTTP content.
  */
-static int
+static int ATTRIBUTE_NONNULL (2)
 xend_req(int fd, char **content)
 {
     char buffer[4096];
@@ -330,7 +331,19 @@ xend_req(int fd, char **content)
     if (content_length > 0) {
         ssize_t ret;
 
-        if (VIR_ALLOC_N(*content, content_length) < 0 ) {
+        if (content_length > XEND_RCV_BUF_MAX_LEN) {
+            virXendError(VIR_ERR_INTERNAL_ERROR,
+                         _("Xend returned HTTP Content-Length of %d, "
+                           "which exceeds maximum of %d"),
+                         content_length,
+                         XEND_RCV_BUF_MAX_LEN);
+            return -1;
+        }
+
+        /* Allocate one byte beyond the end of the largest buffer we will read.
+           Combined with the fact that VIR_ALLOC_N zeros the returned buffer,
+           this guarantees that "content" will always be NUL-terminated. */
+        if (VIR_ALLOC_N(*content, content_length + 1) < 0 ) {
             virReportOOMError();
             return -1;
         }
@@ -353,7 +366,7 @@ xend_req(int fd, char **content)
  *
  * Returns the HTTP return code or -1 in case or error.
  */
-static int
+static int ATTRIBUTE_NONNULL(3)
 xend_get(virConnectPtr xend, const char *path,
          char **content)
 {
@@ -379,8 +392,7 @@ xend_get(virConnectPtr xend, const char *path,
         ((ret != 404) || (!STRPREFIX(path, "/xend/domain/")))) {
         virXendError(VIR_ERR_GET_FAILED,
                      _("%d status from xen daemon: %s:%s"),
-                     ret, path,
-                     content ? *content: "NULL");
+                     ret, path, NULLSTR(*content));
     }
 
     return ret;
- Allocate buffer to hold xend content bnc#609738 xend-buff-size.patch - Add upstream fixes to bitmap code that was introduced to fix bnc#594024 bitmap-alloc.patch bitmap-fixes.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=55 2010-06-04 21:22:56 +02:00			`commit b1eb7f2e987d21b1711e86e5cb63a69abfce82f1`
			`Author: Jim Fehlig <jfehlig@linux-ypgk.site>`
			`Date: Fri Jun 4 10:04:03 2010 -0600`

			`Fixes for commit 211dd1e9`

			`Fixes for issues in commit 211dd1e9 noted by by Jim Meyering.`

			`1. Allocate content buffer of size content_length + 1 to ensure`
			`NUL-termination.`
			`2. Limit content buffer size to 64k`
			`3. Fix whitespace issue`

			`V2:`
			`- Add comment to clarify allocation of content buffer`
			`- Add ATTRIBUTE_NONNULL where appropriate`
			`- User NULLSTR macro`

			`diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c`
			`index 0c1a738..51cad92 100644`
			`--- a/src/xen/xend_internal.c`
			`+++ b/src/xen/xend_internal.c`
			`@@ -68,6 +68,7 @@`
			`# define XEND_CONFIG_MIN_VERS_PVFB_NEWCONF 3`
			`#endif`

			`+#define XEND_RCV_BUF_MAX_LEN 65536`

			`#ifndef PROXY`
			`static int`
			`@@ -310,7 +311,7 @@ istartswith(const char haystack, const char needle)`
			`* Returns the HTTP return code and @content is set to the`
			`* allocated memory containing HTTP content.`
			`*/`
			`-static int`
			`+static int ATTRIBUTE_NONNULL (2)`
			`xend_req(int fd, char **content)`
			`{`
			`char buffer[4096];`
			`@@ -330,7 +331,19 @@ xend_req(int fd, char **content)`
			`if (content_length > 0) {`
			`ssize_t ret;`

			`- if (VIR_ALLOC_N(*content, content_length) < 0 ) {`
			`+ if (content_length > XEND_RCV_BUF_MAX_LEN) {`
			`+ virXendError(VIR_ERR_INTERNAL_ERROR,`
			`+ _("Xend returned HTTP Content-Length of %d, "`
			`+ "which exceeds maximum of %d"),`
			`+ content_length,`
			`+ XEND_RCV_BUF_MAX_LEN);`
			`+ return -1;`
			`+ }`
			`+`
			`+ /* Allocate one byte beyond the end of the largest buffer we will read.`
			`+ Combined with the fact that VIR_ALLOC_N zeros the returned buffer,`
			`+ this guarantees that "content" will always be NUL-terminated. */`
			`+ if (VIR_ALLOC_N(*content, content_length + 1) < 0 ) {`
			`virReportOOMError();`
			`return -1;`
			`}`
			`@@ -353,7 +366,7 @@ xend_req(int fd, char **content)`
			`*`
			`* Returns the HTTP return code or -1 in case or error.`
			`*/`
			`-static int`
			`+static int ATTRIBUTE_NONNULL(3)`
			`xend_get(virConnectPtr xend, const char *path,`
			`char **content)`
			`{`
			`@@ -379,8 +392,7 @@ xend_get(virConnectPtr xend, const char *path,`
			`((ret != 404) \|\| (!STRPREFIX(path, "/xend/domain/")))) {`
			`virXendError(VIR_ERR_GET_FAILED,`
			`_("%d status from xen daemon: %s:%s"),`
			`- ret, path,`
			`- content ? *content: "NULL");`
			`+ ret, path, NULLSTR(*content));`
			`}`

			`return ret;`