util: avoid PATH_MAX-sized array

author Eric Blake <eblake@redhat.com>

Wed, 22 Jun 2011 20:52:32 +0000 (14:52 -0600)

committer Eric Blake <eblake@redhat.com>

Wed, 22 Jun 2011 23:13:58 +0000 (17:13 -0600)
author Eric Blake <eblake@redhat.com>
Wed, 22 Jun 2011 20:52:32 +0000 (14:52 -0600)
committer Eric Blake <eblake@redhat.com>
Wed, 22 Jun 2011 23:13:58 +0000 (17:13 -0600)
diff --git a/src/util/hostusb.c b/src/util/hostusb.c

index d5b478b70511d27a17caefeaaa26d734f0e7562d..1669e2f7deb82c812068017b74a66c620f445e61 100644 (file)
--- a/src/util/hostusb.c
+++ b/src/util/hostusb.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2009-2010 Red Hat, Inc.
+ * Copyright (C) 2009-2011 Red Hat, Inc.
   *
   * This library is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -48,7 +48,7 @@ struct _usbDevice {
  
      char          name[USB_ADDR_LEN]; /* domain:bus:slot.function */
      char          id[USB_ID_LEN];     /* product vendor */
-    char          path[PATH_MAX];
+    char          *path;
  };
  
  /* For virReportOOMError()  and virReportSystemError() */
@@ -171,13 +171,30 @@ usbGetDevice(unsigned bus,
      dev->bus     = bus;
      dev->dev     = devno;
  
-    snprintf(dev->name, sizeof(dev->name), "%.3o:%.3o",
-             dev->bus, dev->dev);
-    snprintf(dev->path, sizeof(dev->path),
-             USB_DEVFS "%03d/%03d", dev->bus, dev->dev);
+    if (snprintf(dev->name, sizeof(dev->name), "%.3o:%.3o",
+                 dev->bus, dev->dev) >= sizeof(dev->name)) {
+        usbReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("dev->name buffer overflow: %.3o:%.3o"),
+                       dev->bus, dev->dev);
+        usbFreeDevice(dev);
+        return NULL;
+    }
+    if (virAsprintf(&dev->path, USB_DEVFS "%03d/%03d",
+                    dev->bus, dev->dev) < 0) {
+        virReportOOMError();
+        usbFreeDevice(dev);
+        return NULL;
+    }
  
      /* XXX fixme. this should be product/vendor */
-    snprintf(dev->id, sizeof(dev->id), "%d %d", dev->bus, dev->dev);
+    if (snprintf(dev->id, sizeof(dev->id), "%d %d", dev->bus,
+                 dev->dev) >= sizeof(dev->id)) {
+        usbReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("dev->id buffer overflow: %d %d"),
+                       dev->bus, dev->dev);
+        usbFreeDevice(dev);
+        return NULL;
+    }
  
      VIR_DEBUG("%s %s: initialized", dev->id, dev->name);
  
@@ -203,6 +220,7 @@ void
  usbFreeDevice(usbDevice *dev)
  {
      VIR_DEBUG("%s %s: freeing", dev->id, dev->name);
+    VIR_FREE(dev->path);
      VIR_FREE(dev);
  }
  
diff --git a/src/util/pci.c b/src/util/pci.c

index 8b2ca420a3df47ca5353d137e59a928138cd4973..46a3a835dba1806c2918f6de5bd5297adb1102b9 100644 (file)
--- a/src/util/pci.c
+++ b/src/util/pci.c
@@ -56,7 +56,7 @@ struct _pciDevice {
  
      char          name[PCI_ADDR_LEN]; /* domain:bus:slot.function */
      char          id[PCI_ID_LEN];     /* product vendor */
-    char          path[PATH_MAX];
+    char          *path;
      int           fd;
  
      unsigned      initted;
@@ -1307,10 +1307,21 @@ pciGetDevice(unsigned domain,
      dev->slot     = slot;
      dev->function = function;
  
-    snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x",
-             dev->domain, dev->bus, dev->slot, dev->function);
-    snprintf(dev->path, sizeof(dev->path),
-             PCI_SYSFS "devices/%s/config", dev->name);
+    if (snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x",
+                 dev->domain, dev->bus, dev->slot,
+                 dev->function) >= sizeof(dev->name)) {
+        pciReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("dev->name buffer overflow: %.4x:%.2x:%.2x.%.1x"),
+                       dev->domain, dev->bus, dev->slot, dev->function);
+        pciFreeDevice(dev);
+        return NULL;
+    }
+    if (virAsprintf(&dev->path, PCI_SYSFS "devices/%s/config",
+                    dev->name) < 0) {
+        virReportOOMError();
+        pciFreeDevice(dev);
+        return NULL;
+    }
  
      if (access(dev->path, F_OK) != 0) {
          virReportSystemError(errno,
@@ -1334,7 +1345,14 @@ pciGetDevice(unsigned domain,
      }
  
      /* strings contain '0x' prefix */
-    snprintf(dev->id, sizeof(dev->id), "%s %s", &vendor[2], &product[2]);
+    if (snprintf(dev->id, sizeof(dev->id), "%s %s", &vendor[2],
+                 &product[2]) >= sizeof(dev->id)) {
+        pciReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("dev->id buffer overflow: %s %s"),
+                       &vendor[2], &product[2]);
+        pciFreeDevice(dev);
+        return NULL;
+    }
  
      VIR_FREE(product);
      VIR_FREE(vendor);
@@ -1351,6 +1369,7 @@ pciFreeDevice(pciDevice *dev)
          return;
      VIR_DEBUG("%s %s: freeing", dev->id, dev->name);
      pciCloseConfig(dev);
+    VIR_FREE(dev->path);
      VIR_FREE(dev);
  }
author	Eric Blake <eblake@redhat.com>
	Wed, 22 Jun 2011 20:52:32 +0000 (14:52 -0600)
committer	Eric Blake <eblake@redhat.com>
	Wed, 22 Jun 2011 23:13:58 +0000 (17:13 -0600)
src/util/hostusb.c		patch \| blob \| blame \| history
src/util/pci.c		patch \| blob \| blame \| history