Xfer:features:read truncating xml sent to gdb frontends
Bug #1703147 reported by
Duane Voth
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
Around line 1326 in gdbstub.c:
if (len > (MAX_PACKET_LENGTH - 5) / 2)
len = (MAX_PACKET_LENGTH - 5) / 2;
is truncating processor reg description xml files longer than 2045 bytes. Deleting these lines works for my immediate need, but they seem to be trying to fix some buffer overrun condition so I won't offer a patch until we understand their purpose.
To post a comment you must log in.
On 8 July 2017 at 22:19, Duane Voth <email address hidden> wrote:
> Around line 1326 in gdbstub.c:
>
> if (len > (MAX_PACKET_LENGTH - 5) / 2)
> len = (MAX_PACKET_LENGTH - 5) / 2;
>
> is truncating processor reg description xml files longer than 2045
> bytes. Deleting these lines works for my immediate need, but they seem
> to be trying to fix some buffer overrun condition so I won't offer a
> patch until we understand their purpose.
Those lines prevent the packet we're constructing overrunning
the buf[] array (in the worst case the packet encoding could
use 2 bytes of buffer for every byte of payload). It's probably
working for you without them because (a) the XML payload doesn't
come near the worst-case and (b) buf[] is followed on the stack
by mem_buf[] which happens to be unused here so overrunning into
it has no visible harmful effects.
Truncating the XML is clearly not what we want though so we
should do something more intelligent...
thanks
-- PMM