From: Peter Maydell <peter.maydell@linaro.org>
Date: Thu, 24 Aug 2023 16:45:35 +0000 (+0100)
Subject: tests/qtest/netdev-socket: Avoid variable-length array in inet_get_free_port_multiple()
X-Git-Tag: v8.2.0-rc0~145^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2a7d8633ff31ea97e7d4edc23af461a28a66d9d;p=thirdparty%2Fqemu.git

tests/qtest/netdev-socket: Avoid variable-length array in inet_get_free_port_multiple()

We use a variable-length array in inet_get_free_port_multiple().
This is only test code called at the start of a test, so switch to a
heap allocation instead.

The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions.  This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g.  CVE-2021-3527).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230824164535.2652070-1-peter.maydell@linaro.org>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---

diff --git a/tests/qtest/netdev-socket.c b/tests/qtest/netdev-socket.c
index 097abc0230b..8eed54801f2 100644
--- a/tests/qtest/netdev-socket.c
+++ b/tests/qtest/netdev-socket.c
@@ -82,7 +82,7 @@ static int inet_get_free_port_socket_ipv6(int sock)
 
 static int inet_get_free_port_multiple(int nb, int *port, bool ipv6)
 {
-    int sock[nb];
+    g_autofree int *sock = g_new(int, nb);
     int i;
 
     for (i = 0; i < nb; i++) {