[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] libxl: make sure buffer is null-terminated in libxl_read_file_contents

On XenServer 7.1.1, we start a vm with XAPI but attach a block device with xl.
We create an empty json config for the vm with the content "{}\n" and then
run 'xl block-attach':

  #  xl block-attach 1 phy:/dev/loop0 xvdz w
  libxl: error: libxl_json.c:950:libxl__json_parse: yajl error: parse error: 
trailing garbage
                                      {} K]
                       (right here) ------^

  libxl: error: libxl_json.c:1053:libxl__object_from_json: unable to generate 
libxl__json_object from JSON representation of libxl_domain_config.
  libxl: error: libxl.c:1995:device_addrm_aocomplete: unable to add device
  libxl_device_disk_add failed.

After investigation, we found the buffer returned from libxl_read_file_contents
is not null-terminated. But later in libxl__object_from_json, the buffer is 
expected to
be null-terminated. So parsing may exceeded the end of file and get in to 
momery area.

Signed-off-by: Robin Lee <robinlee.sysu@xxxxxxxxx>
 tools/libxl/libxl_utils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/libxl/libxl_utils.c b/tools/libxl/libxl_utils.c
index 507ee56..51134a7 100644
--- a/tools/libxl/libxl_utils.c
+++ b/tools/libxl/libxl_utils.c
@@ -362,8 +362,9 @@ int libxl_read_file_contents(libxl_ctx *ctx, const char 
     datalen = stab.st_size;
     if (stab.st_size && data_r) {
-        data = malloc(datalen);
+        data = malloc(((size_t)datalen)+1);
         if (!data) goto xe;
+        data[datalen] = 0;  /* make sure buffer null-terminated */
         rs = fread(data, 1, datalen, f);
         if (rs != datalen) {

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.