[PATCH] vnc: avoid underflow when accessing user-provided address

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] vnc: avoid underflow when accessing user-provided address

From:	Paolo Bonzini
Subject:	[PATCH] vnc: avoid underflow when accessing user-provided address
Date:	Thu, 30 Mar 2023 14:44:24 +0200

If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line.  If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.

Fix it by checking hostlen.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index bbd8b6baaeca..9d8a24dd8a69 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr,
 
         addr->type = SOCKET_ADDRESS_TYPE_INET;
         inet = &addr->u.inet;
-        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+        if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
             inet->host = g_strndup(addrstr + 1, hostlen - 2);
         } else {
             inet->host = g_strndup(addrstr, hostlen);
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] vnc: avoid underflow when accessing user-provided address, Paolo Bonzini <=
- Re: [PATCH] vnc: avoid underflow when accessing user-provided address, Philippe Mathieu-Daudé, 2023/03/30

Prev by Date: [PATCH] nvme: remove constant argument to tracepoint
Next by Date: Re: [PATCH] vnc: avoid underflow when accessing user-provided address
Previous by thread: [PATCH] nvme: remove constant argument to tracepoint
Next by thread: Re: [PATCH] vnc: avoid underflow when accessing user-provided address
Index(es):
- Date
- Thread