diff options
| author | Greg Kurz <groug@kaod.org> | 2017-07-25 19:58:40 +0200 |
|---|---|---|
| committer | David Gibson <david@gibson.dropbear.id.au> | 2017-09-08 09:30:54 +1000 |
| commit | a205a053dcfd89c7ab57aef48d26cd9349388933 (patch) | |
| tree | 1bedf500a5a235433844910ed75c3409f3513877 | |
| parent | 5c3d70e9701402e2755cf5d43f62a305ade4def2 (diff) | |
| download | qemu-a205a053dcfd89c7ab57aef48d26cd9349388933.zip qemu-a205a053dcfd89c7ab57aef48d26cd9349388933.tar.gz qemu-a205a053dcfd89c7ab57aef48d26cd9349388933.tar.bz2 | |
spapr_iommu: use g_strdup_printf() instead of snprintf()
Passing a stack allocated buffer of arbitrary length to snprintf()
without checking the return value can cause the resultant strings
to be silently truncated.
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
| -rw-r--r-- | hw/ppc/spapr_iommu.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c index ed2d535..ed4388b 100644 --- a/hw/ppc/spapr_iommu.c +++ b/hw/ppc/spapr_iommu.c @@ -252,17 +252,19 @@ static int spapr_tce_table_realize(DeviceState *dev) { sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev); Object *tcetobj = OBJECT(tcet); - char tmp[32]; + gchar *tmp; tcet->fd = -1; tcet->need_vfio = false; - snprintf(tmp, sizeof(tmp), "tce-root-%x", tcet->liobn); + tmp = g_strdup_printf("tce-root-%x", tcet->liobn); memory_region_init(&tcet->root, tcetobj, tmp, UINT64_MAX); + g_free(tmp); - snprintf(tmp, sizeof(tmp), "tce-iommu-%x", tcet->liobn); + tmp = g_strdup_printf("tce-iommu-%x", tcet->liobn); memory_region_init_iommu(&tcet->iommu, sizeof(tcet->iommu), TYPE_SPAPR_IOMMU_MEMORY_REGION, tcetobj, tmp, 0); + g_free(tmp); QLIST_INSERT_HEAD(&spapr_tce_tables, tcet, list); @@ -307,7 +309,7 @@ void spapr_tce_set_need_vfio(sPAPRTCETable *tcet, bool need_vfio) sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn) { sPAPRTCETable *tcet; - char tmp[32]; + gchar *tmp; if (spapr_tce_find_by_liobn(liobn)) { error_report("Attempted to create TCE table with duplicate" @@ -318,8 +320,9 @@ sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn) tcet = SPAPR_TCE_TABLE(object_new(TYPE_SPAPR_TCE_TABLE)); tcet->liobn = liobn; - snprintf(tmp, sizeof(tmp), "tce-table-%x", liobn); + tmp = g_strdup_printf("tce-table-%x", liobn); object_property_add_child(OBJECT(owner), tmp, OBJECT(tcet), NULL); + g_free(tmp); object_property_set_bool(OBJECT(tcet), true, "realized", NULL); |