Handle copying bitmaps to larger data buffers

If a bitmap of a shorter length than the data buffer is passed to
virBitmapToDataBuf, it will read off the end of the bitmap and copy junk
into the returned buffer. Add a check to only copy the length of the
bitmap to the buffer.

The problem can be observed after setting a vcpu affinity using the vcpupin
command on a system with a large number of cores:
  # virsh vcpupin example_domain 0 0
  # virsh vcpupin example_domain 0
     VCPU   CPU Affinity
    ---------------------------
     0      0,192,197-198,202

Signed-off-by: John Allen <john.allen@amd.com>

diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c
index 3573b973ecd83b079369d7d2a0086f2533154257..91df4b8601d3421d274d7f338513384ed6094e00 100644 (file)
--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -825,11 +825,15 @@ virBitmapToDataBuf(virBitmapPtr bitmap,
                    unsigned char *bytes,
                    size_t len)
 {
+    size_t nbytes = bitmap->map_len * (VIR_BITMAP_BITS_PER_UNIT / CHAR_BIT);
     unsigned long *l;
     size_t i, j;
 
     memset(bytes, 0, len);
 
+    /* If bitmap and buffer differ in size, only fill to the smaller length */
+    len = MIN(len, nbytes);
+
     /* htole64 is not provided by gnulib, so we do the conversion by hand */
     l = bitmap->map;
     for (i = j = 0; i < len; i++, j++) {