From: Eric Blake Date: Thu, 13 Oct 2011 00:19:28 +0000 (-0600) Subject: qemu: avoid text monitor null deref X-Git-Tag: v0.9.7-rc1~114 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60be9e8c0e3b983349759bcca399826045eed035;p=thirdparty%2Flibvirt.git qemu: avoid text monitor null deref Detected by Coverity. If, for some reason, our text monitor input does not match our assumptions, we end up incrementing p while it is NULL, then dereferencing the pointer 0x1, which will fault. * src/qemu/qemu_monitor_text.c (qemuMonitorTextGetBlockStatsParamsNumber): Rewrite to avoid deref of strchr failure. Fix indentation. --- diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c index 51e8c5c177..1eb9846ac2 100644 --- a/src/qemu/qemu_monitor_text.c +++ b/src/qemu/qemu_monitor_text.c @@ -1036,26 +1036,23 @@ int qemuMonitorTextGetBlockStatsParamsNumber(qemuMonitorPtr mon, * "floppy0: ") */ p = strchr(p, ' '); - p++; - while (*p) { - if (STRPREFIX (p, "rd_bytes=") || - STRPREFIX (p, "wr_bytes=") || - STRPREFIX (p, "rd_operations=") || - STRPREFIX (p, "wr_operations=") || - STRPREFIX (p, "rd_total_times_ns=") || - STRPREFIX (p, "wr_total_times_ns=") || - STRPREFIX (p, "flush_operations=") || - STRPREFIX (p, "flush_total_times_ns=")) { - num++; - } else { - VIR_DEBUG ("unknown block stat near %s", p); - } + while (p && p < eol) { + if (STRPREFIX (p, " rd_bytes=") || + STRPREFIX (p, " wr_bytes=") || + STRPREFIX (p, " rd_operations=") || + STRPREFIX (p, " wr_operations=") || + STRPREFIX (p, " rd_total_times_ns=") || + STRPREFIX (p, " wr_total_times_ns=") || + STRPREFIX (p, " flush_operations=") || + STRPREFIX (p, " flush_total_times_ns=")) { + num++; + } else { + VIR_DEBUG ("unknown block stat near %s", p); + } - /* Skip to next label. */ - p = strchr (p, ' '); - if (!p || p >= eol) break; - p++; + /* Skip to next label. */ + p = strchr(p + 1, ' '); } *nparams = num;