qemu: avoid text monitor null deref

Detected by Coverity. If, for some reason, our text monitor input does not match our assumptions, we end up incrementing p while it is NULL, then dereferencing the pointer 0x1, which will fault. * src/qemu/qemu_monitor_text.c (qemuMonitorTextGetBlockStatsParamsNumber): Rewrite to avoid deref of strchr failure. Fix indentation.
2025-01-23 21:15:20 +00:00 · 2011-10-12 18:19:28 -06:00 · 2011-10-12 18:19:28 -06:00 · 60be9e8c0e
commit 60be9e8c0e
parent ce521f242a
1 changed files with 15 additions and 18 deletions
--- a/src/qemu/qemu_monitor_text.c
+++ b/src/qemu/qemu_monitor_text.c
@ -1036,26 +1036,23 @@ int qemuMonitorTextGetBlockStatsParamsNumber(qemuMonitorPtr mon,
     * "floppy0: ")
     */
    p = strchr(p, ' ');
-    p++;

-    while (*p) {
-            if (STRPREFIX (p, "rd_bytes=") ||
-                STRPREFIX (p, "wr_bytes=") ||
-                STRPREFIX (p, "rd_operations=") ||
-                STRPREFIX (p, "wr_operations=") ||
-                STRPREFIX (p, "rd_total_times_ns=") ||
-                STRPREFIX (p, "wr_total_times_ns=") ||
-                STRPREFIX (p, "flush_operations=") ||
-                STRPREFIX (p, "flush_total_times_ns=")) {
+    while (p && p < eol) {
+        if (STRPREFIX (p, " rd_bytes=") ||
+            STRPREFIX (p, " wr_bytes=") ||
+            STRPREFIX (p, " rd_operations=") ||
+            STRPREFIX (p, " wr_operations=") ||
+            STRPREFIX (p, " rd_total_times_ns=") ||
+            STRPREFIX (p, " wr_total_times_ns=") ||
+            STRPREFIX (p, " flush_operations=") ||
+            STRPREFIX (p, " flush_total_times_ns=")) {
            num++;
        } else {
            VIR_DEBUG ("unknown block stat near %s", p);
        }

        /* Skip to next label. */
-            p = strchr (p, ' ');
-            if (!p || p >= eol) break;
-            p++;
+        p = strchr(p + 1, ' ');
    }

    *nparams = num;