From 07fb9d64b045317235f1f45e3ecbeb5588ff68f6 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 20 Mar 2007 16:50:42 +0000 Subject: [PATCH] Fixed buffer overflow in qemu networking --- ChangeLog | 5 +++++ qemud/conf.c | 13 +++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d9e686e3c7..1132030a17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Tue Mar 20 10:00:06 EST 2007 Daniel P. Berrange + + * qemud/conf.c: Fixed buffer overflow in code building up + command line args for qemu networking + Tue Mar 20 16:40:06 CET 2007 Daniel Veillard * src/virsh.c: add error messages for negative memory size as diff --git a/qemud/conf.c b/qemud/conf.c index e654cd54d5..fb326c15fb 100644 --- a/qemud/conf.c +++ b/qemud/conf.c @@ -1301,13 +1301,14 @@ int qemudBuildCommandLine(struct qemud_server *server, } else { int vlan = 0; while (net) { - char nic[3+1+7+1+17+1]; + char nic[100]; - sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d", - net->mac[0], net->mac[1], - net->mac[2], net->mac[3], - net->mac[4], net->mac[5], - vlan); + if (snprintf(nic, sizeof(nic), "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d", + net->mac[0], net->mac[1], + net->mac[2], net->mac[3], + net->mac[4], net->mac[5], + vlan) >= sizeof(nic)) + goto error; if (!((*argv)[++n] = strdup("-net"))) goto no_memory;