Don't allow user-supplied values to be used as a format specifier

author Ben Chalmers <ben.chalmers@citrix.com>

Tue, 19 Sep 2017 10:43:48 +0000 (11:43 +0100)

committer Paul Durrant <paul.durrant@citrix.com>

Tue, 19 Sep 2017 10:46:22 +0000 (11:46 +0100)
author Ben Chalmers <ben.chalmers@citrix.com>
Tue, 19 Sep 2017 10:43:48 +0000 (11:43 +0100)
committer Paul Durrant <paul.durrant@citrix.com>
Tue, 19 Sep 2017 10:46:22 +0000 (11:46 +0100)
diff --git a/src/xeniface/ioctl_store.c b/src/xeniface/ioctl_store.c

index 542dbbf5c8490ea2a94e5c389edeed35aa9c8c56..c1db0ba087b185c6db871f329b299f9b09e96e76 100644 (file)
--- a/src/xeniface/ioctl_store.c
+++ b/src/xeniface/ioctl_store.c
@@ -185,7 +185,7 @@ IoctlStoreWrite(
      if (!__IsValidStr(Value, InLen - Length))
          goto fail3;
  
-    status = XENBUS_STORE(Printf, &Fdo->StoreInterface, NULL, NULL, Buffer, Value);
+    status = XENBUS_STORE(Printf, &Fdo->StoreInterface, NULL, NULL, Buffer, "%s", Value);
      if (!NT_SUCCESS(status))
          goto fail4;
  
diff --git a/src/xeniface/wmi.c b/src/xeniface/wmi.c

index 2e0dd87e973881f4aeacebbffbf959ca028116d6..d7e4bb709c964de3e86b7163ed09ba7de323ca59 100644 (file)
--- a/src/xeniface/wmi.c
+++ b/src/xeniface/wmi.c
@@ -1672,7 +1672,7 @@ SessionExecuteSetValue(UCHAR *InBuffer,
              NULL){
          goto fail4;
      }
-    status = XENBUS_STORE(Printf, &fdoData->StoreInterface, session->transaction, NULL, tmppath, tmpvalue);
+    status = XENBUS_STORE(Printf, &fdoData->StoreInterface, session->transaction, NULL, tmppath, "%s", tmpvalue);
      Trace(" Write %s to %s (%p)\n", tmpvalue, tmppath, status);
      UnlockSessions(fdoData);
author	Ben Chalmers <ben.chalmers@citrix.com>
	Tue, 19 Sep 2017 10:43:48 +0000 (11:43 +0100)
committer	Paul Durrant <paul.durrant@citrix.com>
	Tue, 19 Sep 2017 10:46:22 +0000 (11:46 +0100)
src/xeniface/ioctl_store.c		patch \| blob \| blame \| history
src/xeniface/wmi.c		patch \| blob \| blame \| history