From 7c76516fee790add2ba308b38999e5cebbd24523 Mon Sep 17 00:00:00 2001
From: jiesong <songjie_yewu@cmss.chinamobile.com>
Date: Wed, 13 Aug 2025 23:11:18 +0800
Subject: [PATCH] smbios: Fix buffer overrun when using path= option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have to make sure the array of bytes read from the path= file
is null-terminated, otherwise we run into a buffer overrun later on.

Fixes: bb99f477 ("hw/smbios: support loading OEM strings values from a file")
Resolves: #2879

Signed-off-by: default avatarDaan De Meyer <daan.j.demeyer@gmail.com>
Reviewed-by: default avatarDaniel P. Berrangé <berrange@redhat.com>
Tested-by: default avatarValentin David <valentin.david@canonical.com>
Message-ID: <20250323213622.2581013-1-daan.j.demeyer@gmail.com>
Signed-off-by: default avatarPhilippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit a7a05f5f)
Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
---
 hw/smbios/smbios.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index c0c5a81e66..be726ce4ac 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1223,6 +1223,9 @@ static int save_opt_one(void *opaque,
             g_byte_array_append(data, (guint8 *)buf, ret);
         }
 
+        buf[0] = '\0';
+        g_byte_array_append(data, (guint8 *)buf, 1);
+
         qemu_close(fd);
 
         *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
-- 
Gitee