Fixed buffer overflow in qemu networking

diff --git a/ChangeLog b/ChangeLog
index d9e686e3c7597158639b998e712cae0e0d9e4e35..1132030a170ad4e66fafb56f45309adab412d764 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Tue Mar 20 10:00:06 EST 2007 Daniel P. Berrange <berrange@redhat.com>
+
+       * qemud/conf.c: Fixed buffer overflow in code building up
+       command line args for qemu networking
+
 Tue Mar 20 16:40:06 CET 2007 Daniel Veillard <veillard@redhat.com>
 
        * src/virsh.c: add error messages for negative memory size as

diff --git a/qemud/conf.c b/qemud/conf.c
index e654cd54d5b78fcb38ab3cfa4102209986d3ad9e..fb326c15fbb4c0caf1ac1139fffedff407cbe5f3 100644 (file)
--- a/qemud/conf.c
+++ b/qemud/conf.c
@@ -1301,13 +1301,14 @@ int qemudBuildCommandLine(struct qemud_server *server,
     } else {
         int vlan = 0;
         while (net) {
-            char nic[3+1+7+1+17+1];
+            char nic[100];
 
-            sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
-                    net->mac[0], net->mac[1],
-                    net->mac[2], net->mac[3],
-                    net->mac[4], net->mac[5],
-                    vlan);
+            if (snprintf(nic, sizeof(nic), "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
+                         net->mac[0], net->mac[1],
+                         net->mac[2], net->mac[3],
+                         net->mac[4], net->mac[5],
+                         vlan) >= sizeof(nic))
+                goto error;
 
             if (!((*argv)[++n] = strdup("-net")))
                 goto no_memory;