spapr_drc: use g_strdup_printf() instead of snprintf()
Passing a stack allocated buffer of arbitrary length to snprintf() without checking the return value can cause the resultant strings to be silently truncated. Signed-off-by: Greg Kurz <groug@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Greg Kurz
David Gibson
parent
a205a053dc
commit
f5babeacc4
|
|
@ -492,7 +492,7 @@ static void realize(DeviceState *d, Error **errp)
|
||||||
{
|
{
|
||||||
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
|
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
|
||||||
Object *root_container;
|
Object *root_container;
|
||||||
char link_name[256];
|
gchar *link_name;
|
||||||
gchar *child_name;
|
gchar *child_name;
|
||||||
Error *err = NULL;
|
Error *err = NULL;
|
||||||
|
|
||||||
|
|
@ -505,12 +505,13 @@ static void realize(DeviceState *d, Error **errp)
|
||||||
* existing in the composition tree
|
* existing in the composition tree
|
||||||
*/
|
*/
|
||||||
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
|
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
|
||||||
snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc));
|
link_name = g_strdup_printf("%x", spapr_drc_index(drc));
|
||||||
child_name = object_get_canonical_path_component(OBJECT(drc));
|
child_name = object_get_canonical_path_component(OBJECT(drc));
|
||||||
trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
|
trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
|
||||||
object_property_add_alias(root_container, link_name,
|
object_property_add_alias(root_container, link_name,
|
||||||
drc->owner, child_name, &err);
|
drc->owner, child_name, &err);
|
||||||
g_free(child_name);
|
g_free(child_name);
|
||||||
|
g_free(link_name);
|
||||||
if (err) {
|
if (err) {
|
||||||
error_propagate(errp, err);
|
error_propagate(errp, err);
|
||||||
return;
|
return;
|
||||||
|
|
@ -525,14 +526,15 @@ static void unrealize(DeviceState *d, Error **errp)
|
||||||
{
|
{
|
||||||
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
|
sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
|
||||||
Object *root_container;
|
Object *root_container;
|
||||||
char name[256];
|
gchar *name;
|
||||||
|
|
||||||
trace_spapr_drc_unrealize(spapr_drc_index(drc));
|
trace_spapr_drc_unrealize(spapr_drc_index(drc));
|
||||||
qemu_unregister_reset(drc_reset, drc);
|
qemu_unregister_reset(drc_reset, drc);
|
||||||
vmstate_unregister(DEVICE(drc), &vmstate_spapr_drc, drc);
|
vmstate_unregister(DEVICE(drc), &vmstate_spapr_drc, drc);
|
||||||
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
|
root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
|
||||||
snprintf(name, sizeof(name), "%x", spapr_drc_index(drc));
|
name = g_strdup_printf("%x", spapr_drc_index(drc));
|
||||||
object_property_del(root_container, name, errp);
|
object_property_del(root_container, name, errp);
|
||||||
|
g_free(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
sPAPRDRConnector *spapr_dr_connector_new(Object *owner, const char *type,
|
sPAPRDRConnector *spapr_dr_connector_new(Object *owner, const char *type,
|
||||||
|
|
@ -730,10 +732,11 @@ static const TypeInfo spapr_drc_lmb_info = {
|
||||||
sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
|
sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
|
||||||
{
|
{
|
||||||
Object *obj;
|
Object *obj;
|
||||||
char name[256];
|
gchar *name;
|
||||||
|
|
||||||
snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index);
|
name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
|
||||||
obj = object_resolve_path(name, NULL);
|
obj = object_resolve_path(name, NULL);
|
||||||
|
g_free(name);
|
||||||
|
|
||||||
return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
|
return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue