On 10/05/2016 04:33 AM, Gerd Hoffmann wrote: > snprintf return value is *not* the number of chars written into the > buffer, but the number of chars needed. So in case the buffer is too > small you can go alloc a bigger one and try again. But that also means > you can't simply use the return value for the next snprintf call > without checking beforehand that things did actually fit. > > Problem is that usb_desc_create_serial didn't perform that check, so a > loooong path string (can happen with deep pci-bridge nesting) results in > the third snprintf call smashing the stack.
Is this exploitable enough to need a CVE? > > Fix this by throwing out all the snpintf calls and use g_strdup_printf s/snpintf/snprintf/ > instead. > > https://bugzilla.redhat.com/show_bug.cgi?id=1381630 > > Reported-by: Thomas Huth <[email protected]> > Signed-off-by: Gerd Hoffmann <[email protected]> > --- > hw/usb/desc.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) Reviewed-by: Eric Blake <[email protected]> -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
