From ec503f28ffbeb007c62e1e5c148cbb8497365543 Mon Sep 17 00:00:00 2001

Message-Id: <ec503f28ffbeb007c62e1e5c148cbb8497365543.1387385061.git.jdenemar@redhat.com>

From: Christophe Fergeau <cfergeau@redhat.com>

Date: Tue, 17 Dec 2013 16:13:21 +0100

Subject: [PATCH] Fix invalid read in virNetSASLSessionClientStep debug log

virNetSASLSessionClientStep logs the data that is going to be passed to

sasl_client_step as input data. However, it tries to log it as a string,

while there is no guarantee that this data is going to be nul-terminated.

This leads to this valgrind log:

==20938== Invalid read of size 1

==20938==    at 0x8BDB08F: vfprintf (vfprintf.c:1635)

==20938==    by 0x8C06DF2: vasprintf (vasprintf.c:62)

==20938==    by 0x4CCEDF9: virVasprintfInternal (virstring.c:337)

==20938==    by 0x4CA9516: virLogVMessage (virlog.c:842)

==20938==    by 0x4CA939A: virLogMessage (virlog.c:778)

==20938==    by 0x4E21E0D: virNetSASLSessionClientStep (virnetsaslcontext.c:458)

==20938==    by 0x4DE47B8: remoteAuthSASL (remote_driver.c:4136)

==20938==    by 0x4DE33AE: remoteAuthenticate (remote_driver.c:3635)

==20938==    by 0x4DDBFAA: doRemoteOpen (remote_driver.c:832)

==20938==    by 0x4DDC8BA: remoteConnectOpen (remote_driver.c:1027)

==20938==    by 0x4D8595F: do_open (libvirt.c:1239)

==20938==    by 0x4D863F3: virConnectOpenAuth (libvirt.c:1481)

==20938==    by 0x12762B: vshReconnect (virsh.c:337)

==20938==    by 0x12C9B0: vshInit (virsh.c:2470)

==20938==    by 0x12E9A5: main (virsh.c:3338)

==20938==  Address 0xe329ccd is 0 bytes after a block of size 141 alloc'd

==20938==    at 0x4A081D4: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)

==20938==    by 0x8CB91B4: xdr_array (xdr_array.c:94)

==20938==    by 0x4E039C2: xdr_remote_auth_sasl_start_ret (remote_protocol.c:3134)

==20938==    by 0x4E1F8AA: virNetMessageDecodePayload (virnetmessage.c:405)

==20938==    by 0x4E119F5: virNetClientProgramCall (virnetclientprogram.c:377)

==20938==    by 0x4DF8141: callFull (remote_driver.c:5794)

==20938==    by 0x4DF821A: call (remote_driver.c:5816)

==20938==    by 0x4DE46CF: remoteAuthSASL (remote_driver.c:4112)

==20938==    by 0x4DE33AE: remoteAuthenticate (remote_driver.c:3635)

==20938==    by 0x4DDBFAA: doRemoteOpen (remote_driver.c:832)

==20938==    by 0x4DDC8BA: remoteConnectOpen (remote_driver.c:1027)

==20938==    by 0x4D8595F: do_open (libvirt.c:1239)

==20938==    by 0x4D863F3: virConnectOpenAuth (libvirt.c:1481)

==20938==    by 0x12762B: vshReconnect (virsh.c:337)

==20938==    by 0x12C9B0: vshInit (virsh.c:2470)

==20938==    by 0x12E9A5: main (virsh.c:3338)

(cherry picked from commit 986900a5af6491d54f7779f6368f1fc41eb53690)

https://bugzilla.redhat.com/show_bug.cgi?id=1043864

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/rpc/virnetsaslcontext.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c

index 1baf41e..dbb9a25 100644

--- a/src/rpc/virnetsaslcontext.c

+++ b/src/rpc/virnetsaslcontext.c

@@ -457,7 +457,7 @@ int virNetSASLSessionClientStep(virNetSASLSessionPtr sasl,

     int err;

     int ret = -1;

-    VIR_DEBUG("sasl=%p serverin=%s serverinlen=%zu prompt_need=%p clientout=%p clientoutlen=%p",

+    VIR_DEBUG("sasl=%p serverin=%p serverinlen=%zu prompt_need=%p clientout=%p clientoutlen=%p",

               sasl, serverin, serverinlen, prompt_need, clientout, clientoutlen);

     virObjectLock(sasl);

-- 

1.8.5.1