path: root/qmp-commands.hx
diff options
authorMarkus Armbruster <armbru@redhat.com>2013-02-06 21:27:14 +0100
committerAnthony Liguori <aliguori@us.ibm.com>2013-02-06 16:35:17 -0600
commit82e59a676c01b3df3b53998d428d0a64a55f2439 (patch)
treec57a24a95c993f67f20b55a2d2510a06aacdcd1c /qmp-commands.hx
parent15af6321f4d1f90d0ae1b5cb05093c48b41c4533 (diff)
qmp: Fix design bug and read beyond buffer in memchar-write
Command memchar-write takes data and size parameter. Begs the question what happens when data doesn't match size. With format base64, qmp_memchar_write() copies the full data argument, regardless of size argument. With format utf8, qmp_memchar_write() copies size bytes from data, happily reading beyond data. Copies crap from the heap or even crashes. Drop the size parameter, and always copy the full data argument. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'qmp-commands.hx')
1 files changed, 1 insertions, 3 deletions
diff --git a/qmp-commands.hx b/qmp-commands.hx
index bbb21f3583..8468f1022d 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -467,7 +467,7 @@ EQMP
.name = "memchar-write",
- .args_type = "device:s,size:i,data:s,format:s?",
+ .args_type = "device:s,data:s,format:s?",
.mhandler.cmd_new = qmp_marshal_input_memchar_write,
@@ -481,7 +481,6 @@ char device.
- "device": the name of the char device, must be unique (json-string)
-- "size": the memory size, in bytes, should be power of 2 (json-int)
- "data": the source data write to memory (json-string)
- "format": the data format write to memory, default is
utf8. (json-string, optional)
@@ -491,7 +490,6 @@ Example:
-> { "execute": "memchar-write",
"arguments": { "device": foo,
- "size": 8,
"data": "abcdefgh",
"format": "utf8" } }
<- { "return": {} }