Revision 82e59a67
| ID | 82e59a676c01b3df3b53998d428d0a64a55f2439 |
qmp: Fix design bug and read beyond buffer in memchar-write
Command memchar-write takes data and size parameter. Begs the
question what happens when data doesn't match size.
With format base64, qmp_memchar_write() copies the full data argument,
regardless of size argument.
With format utf8, qmp_memchar_write() copies size bytes from data,
happily reading beyond data. Copies crap from the heap or even
crashes.
Drop the size parameter, and always copy the full data argument.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Files
- added
- modified
- copied
- renamed
- deleted