diff options
author | Richard Jones <rjones@redhat.com> | 2010-06-01 16:18:53 +0100 |
---|---|---|
committer | Richard Jones <rjones@redhat.com> | 2010-06-02 13:38:00 +0100 |
commit | 9733d4746988b3a072d8bb1daac4b9795b8f4134 (patch) | |
tree | b16bb0f35b2a5dfca0f04454bb9f21d4522f47f4 | |
parent | 52f9cd4882135910ea06e1e50ac6441d455c9ab1 (diff) | |
download | libguestfs-9733d4746988b3a072d8bb1daac4b9795b8f4134.tar.gz libguestfs-9733d4746988b3a072d8bb1daac4b9795b8f4134.tar.xz libguestfs-9733d4746988b3a072d8bb1daac4b9795b8f4134.zip |
daemon: write-file: Check range of size parameter (RHBZ#597135).
This also adds a regression test.
-rw-r--r-- | daemon/file.c | 23 | ||||
-rwxr-xr-x | src/generator.ml | 4 |
2 files changed, 25 insertions, 2 deletions
diff --git a/daemon/file.c b/daemon/file.c index aca1caa6..76000645 100644 --- a/daemon/file.c +++ b/daemon/file.c @@ -288,8 +288,29 @@ do_write_file (const char *path, const char *content, int size) { int fd; + /* This call is deprecated, and it has a broken interface. New code + * should use the 'guestfs_write' call instead. Because we used an + * XDR string type, 'content' cannot contain ASCII NUL and 'size' + * must never be longer than the string. We must check this to + * ensure random stuff from XDR or daemon memory isn't written to + * the file (RHBZ#597135). + */ + if (size < 0) { + reply_with_error ("size cannot be negative"); + return -1; + } + + /* Note content_len must be small because of the limits on protocol + * message size. + */ + int content_len = (int) strlen (content); + if (size == 0) - size = strlen (content); + size = content_len; + else if (size > content_len) { + reply_with_error ("size parameter is larger than string content"); + return -1; + } CHROOT_IN; fd = open (path, O_WRONLY | O_TRUNC | O_CREAT | O_NOCTTY, 0666); diff --git a/src/generator.ml b/src/generator.ml index ff772f52..2c33049d 100755 --- a/src/generator.ml +++ b/src/generator.ml @@ -1543,7 +1543,9 @@ See also: C<guestfs_sfdisk_l>, C<guestfs_sfdisk_N>, C<guestfs_part_init>"); ("write_file", (RErr, [Pathname "path"; String "content"; Int "size"]), 44, [ProtocolLimitWarning; DeprecatedBy "write"], - [], + (* Regression test for RHBZ#597135. *) + [InitBasicFS, Always, TestLastFail + [["write_file"; "/new"; "abc"; "10000"]]], "create a file", "\ This call creates a file called C<path>. The contents of the |