vnc: avoid underflow when accessing user-provided address
If hostlen is zero, there is a possibility that addrstr[hostlen - 1] underflows and, if a closing bracked is there, hostlen - 2 is passed to g_strndup() on the next line. If websocket==false then addrstr[0] would be a colon, but if websocket==true this could in principle happen. Fix it by checking hostlen. Reported by Coverity. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
3488fc3262
commit
3f9c41c5df
2
ui/vnc.c
2
ui/vnc.c
@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr,
|
|||||||
|
|
||||||
addr->type = SOCKET_ADDRESS_TYPE_INET;
|
addr->type = SOCKET_ADDRESS_TYPE_INET;
|
||||||
inet = &addr->u.inet;
|
inet = &addr->u.inet;
|
||||||
if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
|
if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
|
||||||
inet->host = g_strndup(addrstr + 1, hostlen - 2);
|
inet->host = g_strndup(addrstr + 1, hostlen - 2);
|
||||||
} else {
|
} else {
|
||||||
inet->host = g_strndup(addrstr, hostlen);
|
inet->host = g_strndup(addrstr, hostlen);
|
||||||
|
Loading…
Reference in New Issue
Block a user