Re: [Libguestfs] [PATCH libnbd 5/5] lib/connect: Avoid segfault for zero-length argv
On Tue, Sep 27, 2022 at 03:46:21PM +0100, Richard W.M. Jones wrote:
Eric found that passing a zero length array to nbd_connect_command
or
nbd_connect_systemd_socket_activation results in a segfault. This can
be triggered through Python as follows:
$ nbdsh -c 'h.connect_command([])'
nbdsh: generator/states-connect.c:247: enter_STATE_CONNECT_COMMAND_START: Assertion
`h->argv.ptr[0]' failed.
Aborted (core dumped)
Reported-by: Eric Blake
---
lib/connect.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/connect.c b/lib/connect.c
index 5008063034..629f35db7c 100644
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -251,6 +251,11 @@ nbd_unlocked_aio_connect_socket (struct nbd_handle *h, int sock)
int
nbd_unlocked_aio_connect_command (struct nbd_handle *h, char **argv)
{
+ if (argv[0] == NULL) {
+ set_error (EINVAL, "argv parameter must have at least 1 element");
+ return -1;
+ }
+
This is basically half of my v3 1/18 patch - the part that was
noncontroversial. Comparing my version to yours, I picked a different
error message:
nbdsh: command line script failed: nbd_connect_command: missing command name in argv
list: Invalid argument
and centralized things into a single helper function in utils.c instead of open-coding it
at each affected nbd*_connect_* command.
if (nbd_internal_set_argv (&h->argv, argv) == -1) {
set_error (errno, "realloc");
return -1;
@@ -263,6 +268,11 @@ int
nbd_unlocked_aio_connect_systemd_socket_activation (struct nbd_handle *h,
char **argv)
{
+ if (argv[0] == NULL) {
+ set_error (EINVAL, "argv parameter must have at least 1 element");
+ return -1;
+ }
+
if (nbd_internal_set_argv (&h->argv, argv) == -1) {
set_error (errno, "realloc");
return -1;
--
2.37.0.rc2
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org