qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties


From: Eric Blake
Subject: Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties
Date: Wed, 27 Nov 2013 05:48:26 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

On 11/27/2013 12:52 AM, Hannes Reinecke wrote:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
> 
> Cc: Peter Maydell <address@hidden>
> Cc: Eric Blake <address@hidden>
> Signed-off-by: Hannes Reinecke <address@hidden>
> ---
>  hw/core/qdev-properties.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5a94c04 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, 
> const char *str)
>          return -EINVAL;
>      }
>  
> +    errno = 0;
>      *ptr = strtoul(str, &end, 16);
> +    if (errno)
> +        return -errno;
>      if ((*end != '\0') || (end == str)) {
>          return -EINVAL;
>      }

Still incomplete. You still have silent overflows.  Consider a string of
"0x100".  strtoul() does not set errno, but *ptr is set to 0 because
0x100 is bigger than a uint8_t.  You HAVE to parse the results into an
unsigned long, then manually check that the resulting unsigned long
value does not overflow *ptr.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]