diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-10-10 15:48:55 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-10-10 16:59:37 +0100 |
commit | 8f749b254def91001124367d687e9fc6a2793f6b (patch) | |
tree | 5fa614eb8155ae32057a1c0a2de8ed534f4063fd | |
parent | 0a3b0fb38ee4cf4eadfb108534acf5ac4665633a (diff) | |
download | xen-8f749b254def91001124367d687e9fc6a2793f6b.tar.gz xen-8f749b254def91001124367d687e9fc6a2793f6b.tar.bz2 xen-8f749b254def91001124367d687e9fc6a2793f6b.zip |
libxl: fix vif rate parsing
strtok can return NULL here. We don't need to use strtok anyway, so just
use a simple strchr method.
Coverity-ID: 1055642
This is CVE-2013-4369 / XSA-68
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix type. Add test case
Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
(cherry picked from commit c53702cee1d6f9f1b72f0cae0b412e21bcda8724)
(cherry picked from commit 60aefd150bc0ad0c7d325da5ffea0bf4e0544130)
-rwxr-xr-x | tools/libxl/check-xl-vif-parse | 4 | ||||
-rw-r--r-- | tools/libxl/libxlu_vif.c | 19 |
2 files changed, 17 insertions, 6 deletions
diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse index 0473182a4d..02c6dbaeb6 100755 --- a/tools/libxl/check-xl-vif-parse +++ b/tools/libxl/check-xl-vif-parse @@ -206,4 +206,8 @@ expected </dev/null one $e rate=4294967295GB/s@5us one $e rate=4296MB/s@4294s +# test include of single '@' +expected </dev/null +one $e rate=@ + complete diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c index 3b3de0f811..0665e624dc 100644 --- a/tools/libxl/libxlu_vif.c +++ b/tools/libxl/libxlu_vif.c @@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic) uint64_t bytes_per_sec = 0; uint64_t bytes_per_interval = 0; uint32_t interval_usecs = 50000UL; /* Default to 50ms */ - char *ratetok, *tmprate; + char *p, *tmprate; int rc = 0; tmprate = strdup(rate); + if (tmprate == NULL) { + rc = ENOMEM; + goto out; + } + + p = strchr(tmprate, '@'); + if (p != NULL) + *p++ = 0; + if (!strcmp(tmprate,"")) { xlu__vif_err(cfg, "no rate specified", rate); rc = EINVAL; goto out; } - ratetok = strtok(tmprate, "@"); - rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec); + rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec); if (rc) goto out; - ratetok = strtok(NULL, "@"); - if (ratetok != NULL) { - rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs); + if (p != NULL) { + rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs); if (rc) goto out; } |