pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2026-01-07 20:00:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

stat-file: Fix off by one buffer overflow

Browse Source 
The stat file contains an array of max_nodes elements
so we must stay in [0, max_nodes) range, not [0, max_nodes].

There are no spice path that lead to these overflows but
it's better to have them fixed before creating one.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
This commit is contained in:
Frediano Ziglio 2017-02-02 12:40:16 +00:00
parent 1004748c46
commit a29afab028
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/stat-file.c
View File

@ -168,7 +168,7 @@ stat_file_add_node(RedStatFile *stat_file, StatNodeRef parent, const char *name,
}
stat_file->stat->generation++;
stat_file->stat->num_of_nodes++;
for (ref = 0; ref <= stat_file->max_nodes; ref++) {
for (ref = 0; ref < stat_file->max_nodes; ref++) {
node = &stat_file->stat->nodes[ref];
if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
break;
@ -211,7 +211,7 @@ static void stat_file_remove(RedStatFile *stat_file, SpiceStatNode *node)
/* children will be orphans */
if (stat_file->stat->root_index == node_ref) {
stat_file->stat->root_index = node_next;
} else for (ref = 0; ref <= stat_file->max_nodes; ref++) {
} else for (ref = 0; ref < stat_file->max_nodes; ref++) {
node = &stat_file->stat->nodes[ref];
if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
continue;