]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cbe8115)
libxl: fix the bug which will cause heap to break down
authorLi Liang <liangx.z.li@intel.com>
Mon, 30 Jun 2014 00:48:37 +0000 (08:48 +0800)
committerIan Campbell <ian.campbell@citrix.com>
Thu, 3 Jul 2014 09:49:51 +0000 (10:49 +0100)
If the JSON message contains more bytes than QMP_RECEIVE_BUFFER_SIZE,
this bug will break down the heap, that leads to core dump. One more
byte should be allocated to contain the appended null character.

Signed-off-by: Li Liang <liangx.z.li@intel.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
tools/libxl/libxl_qmp.c patch | blob | blame | history

diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
index 8433e42370d0e52a317d319e1509092f4526f6f8..5cc56b1a10d49f29b8be3dc0fa949cae26fb7687 100644 (file)
--- a/tools/libxl/libxl_qmp.c
+++ b/tools/libxl/libxl_qmp.c
@@ -456,7 +456,7 @@ static int qmp_next(libxl__gc *gc, libxl__qmp_handler *qmp)
             if (incomplete) {
                 size_t current_pos = s - incomplete;
                 incomplete = libxl__realloc(gc, incomplete,
-                                            incomplete_size + rd);
+                                            incomplete_size + rd + 1);
                 strncat(incomplete + incomplete_size, qmp->buffer, rd);
                 s = incomplete + current_pos;
                 incomplete_size += rd;
Xen (staging and unstable) mirror