From a07b5b8acd4a86f87937891f03f71a57c3cd0880 Mon Sep 17 00:00:00 2001
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Date: Thu, 28 Oct 2010 12:05:45 +0100
Subject: [PATCH] libxl: Fix format string abuses / vulnerabilities

There are a few places where libxl__xs_write is passed a variable
value to write to xenstore, but the semantics are that the first char*
is a format string.  So use "%s".

This fixes the following errors reported by some newer compilers:
 libxl.c: In function "libxl_create_cpupool":
 libxl.c:3981: error: format not a string literal and no format arguments
 libxl.c:3983: error: format not a string literal and no format arguments
 libxl.c: In function "libxl_cpupool_movedomain":
 libxl.c:4095: error: format not a string literal and no format arguments

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Gianni Tedesco <gianni.tedesco@citrix.com>
---
 tools/libxl/libxl.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 1a4caea0e3..f40d41b7fc 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -3978,10 +3978,12 @@ int libxl_create_cpupool(libxl_ctx *ctx, char *name, int schedid,
         t = xs_transaction_start(ctx->xsh);
 
         xs_mkdir(ctx->xsh, t, libxl__sprintf(&gc, "/local/pool/%d", *poolid));
-        libxl__xs_write(&gc, t, libxl__sprintf(&gc, "/local/pool/%d/uuid", *poolid),
-                 uuid_string);
-        libxl__xs_write(&gc, t, libxl__sprintf(&gc, "/local/pool/%d/name", *poolid),
-                 name);
+        libxl__xs_write(&gc, t,
+                        libxl__sprintf(&gc, "/local/pool/%d/uuid", *poolid),
+                        "%s", uuid_string);
+        libxl__xs_write(&gc, t,
+                        libxl__sprintf(&gc, "/local/pool/%d/name", *poolid),
+                        "%s", name);
 
         if (xs_transaction_end(ctx->xsh, t, 0) || (errno != EAGAIN))
             return 0;
@@ -4093,7 +4095,8 @@ int libxl_cpupool_movedomain(libxl_ctx *ctx, uint32_t poolid, uint32_t domid)
         if (!vm_path)
             break;
 
-        libxl__xs_write(&gc, t, libxl__sprintf(&gc, "%s/pool_name", vm_path), poolname);
+        libxl__xs_write(&gc, t, libxl__sprintf(&gc, "%s/pool_name", vm_path),
+                        "%s", poolname);
 
         if (xs_transaction_end(ctx->xsh, t, 0) || (errno != EAGAIN))
             break;
-- 
2.30.2