From ec503f28ffbeb007c62e1e5c148cbb8497365543 Mon Sep 17 00:00:00 2001
Message-Id: <ec503f28ffbeb007c62e1e5c148cbb8497365543.1387385061.git.jdenemar@redhat.com>
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Tue, 17 Dec 2013 16:13:21 +0100
Subject: [PATCH] Fix invalid read in virNetSASLSessionClientStep debug log

virNetSASLSessionClientStep logs the data that is going to be passed to
sasl_client_step as input data. However, it tries to log it as a string,
while there is no guarantee that this data is going to be nul-terminated.
This leads to this valgrind log:

==20938== Invalid read of size 1
==20938==    at 0x8BDB08F: vfprintf (vfprintf.c:1635)
==20938==    by 0x8C06DF2: vasprintf (vasprintf.c:62)
==20938==    by 0x4CCEDF9: virVasprintfInternal (virstring.c:337)
==20938==    by 0x4CA9516: virLogVMessage (virlog.c:842)
==20938==    by 0x4CA939A: virLogMessage (virlog.c:778)
==20938==    by 0x4E21E0D: virNetSASLSessionClientStep (virnetsaslcontext.c:458)
==20938==    by 0x4DE47B8: remoteAuthSASL (remote_driver.c:4136)
==20938==    by 0x4DE33AE: remoteAuthenticate (remote_driver.c:3635)
==20938==    by 0x4DDBFAA: doRemoteOpen (remote_driver.c:832)
==20938==    by 0x4DDC8BA: remoteConnectOpen (remote_driver.c:1027)
==20938==    by 0x4D8595F: do_open (libvirt.c:1239)
==20938==    by 0x4D863F3: virConnectOpenAuth (libvirt.c:1481)
==20938==    by 0x12762B: vshReconnect (virsh.c:337)
==20938==    by 0x12C9B0: vshInit (virsh.c:2470)
==20938==    by 0x12E9A5: main (virsh.c:3338)
==20938==  Address 0xe329ccd is 0 bytes after a block of size 141 alloc'd
==20938==    at 0x4A081D4: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20938==    by 0x8CB91B4: xdr_array (xdr_array.c:94)
==20938==    by 0x4E039C2: xdr_remote_auth_sasl_start_ret (remote_protocol.c:3134)
==20938==    by 0x4E1F8AA: virNetMessageDecodePayload (virnetmessage.c:405)
==20938==    by 0x4E119F5: virNetClientProgramCall (virnetclientprogram.c:377)
==20938==    by 0x4DF8141: callFull (remote_driver.c:5794)
==20938==    by 0x4DF821A: call (remote_driver.c:5816)
==20938==    by 0x4DE46CF: remoteAuthSASL (remote_driver.c:4112)
==20938==    by 0x4DE33AE: remoteAuthenticate (remote_driver.c:3635)
==20938==    by 0x4DDBFAA: doRemoteOpen (remote_driver.c:832)
==20938==    by 0x4DDC8BA: remoteConnectOpen (remote_driver.c:1027)
==20938==    by 0x4D8595F: do_open (libvirt.c:1239)
==20938==    by 0x4D863F3: virConnectOpenAuth (libvirt.c:1481)
==20938==    by 0x12762B: vshReconnect (virsh.c:337)
==20938==    by 0x12C9B0: vshInit (virsh.c:2470)
==20938==    by 0x12E9A5: main (virsh.c:3338)

(cherry picked from commit 986900a5af6491d54f7779f6368f1fc41eb53690)

https://bugzilla.redhat.com/show_bug.cgi?id=1043864

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/rpc/virnetsaslcontext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index 1baf41e..dbb9a25 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -457,7 +457,7 @@ int virNetSASLSessionClientStep(virNetSASLSessionPtr sasl,
     int err;
     int ret = -1;
 
-    VIR_DEBUG("sasl=%p serverin=%s serverinlen=%zu prompt_need=%p clientout=%p clientoutlen=%p",
+    VIR_DEBUG("sasl=%p serverin=%p serverinlen=%zu prompt_need=%p clientout=%p clientoutlen=%p",
               sasl, serverin, serverinlen, prompt_need, clientout, clientoutlen);
 
     virObjectLock(sasl);
-- 
1.8.5.1