From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 23 Mar 2025 21:35:54 +0000 (+0100)
Subject: smbios: Fix buffer overrun when using path= option
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c605185c2e0ad1d47a5008027ef27d90f57fcbd;p=thirdparty%2Fqemu.git

smbios: Fix buffer overrun when using path= option

We have to make sure the array of bytes read from the path= file
is null-terminated, otherwise we run into a buffer overrun later on.

Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879

Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Tested-by: Valentin David <valentin.david@canonical.com>
Message-ID: <20250323213622.2581013-1-daan.j.demeyer@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit a7a05f5f6a4085afbede315e749b1c67e78c966b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 8a44d3f271d..6ffa1f8c630 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1222,6 +1222,9 @@ static int save_opt_one(void *opaque,
             g_byte_array_append(data, (guint8 *)buf, ret);
         }
 
+        buf[0] = '\0';
+        g_byte_array_append(data, (guint8 *)buf, 1);
+
         qemu_close(fd);
 
         *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);