9d0703d95f
Description: 1. once new socket is added, "strncpy" is used to copy instance_name from source string to dest, but it does not guarantee null terminated. 2. there is a memory overwrite risk when it get instance_name from a file's name Solution: 1. we bounded length of string instance_name to ensure it is "null-terminated". 2. limit the copy length when instance_name is get Test Case: 1. success to build and deploy 1 controller + 1 compute (virtual) 2. trigger memory overwrite in a debug version with some logs added. With origin code, "instance_name" in function "file_to_instance_name()" is assigned to a string whose length is greater than its capacity. With patch code, "instance_name" has a limit assign length and a null terminate. Reproduce: To trigger memory overwrite case, a socket file with super long name is generated under "/var/lib/libvirt/qemu/" which is monitored by this software Closes-Bug: 1794704 Signed-off-by: SidneyAn <ran1.an@intel.com> Change-Id: Ifb97e3dc1b59ebdc23cda73731fb02dc342d0520 |
||
---|---|---|
.. | ||
bin | ||
docs | ||
lib | ||
obj | ||
scripts | ||
test | ||
guest_agent.c | ||
guest_host_msg.h | ||
host_agent.c | ||
host_guest_msg_type.h | ||
host_guest_msg.c | ||
host_guest_msg.h | ||
host_instance_mgmt.c | ||
host_instance_mgmt.h | ||
lib_guest_host_msg.c | ||
lib_host_guest_msg.c | ||
LICENSE | ||
Makefile | ||
Makefile.sdk | ||
misc.h | ||
server_group_app.c | ||
server_group.c | ||
server_group.h |