[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] bt: use size_t type for length parameters inste
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH] bt: use size_t type for length parameters instead of signed int |
Date: |
Thu, 18 Oct 2018 12:59:40 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 17/10/2018 22:58, P J P wrote:
> From: Prasad J Pandit <address@hidden>
>
> The length parameter values are not negative, thus use an unsigned
> type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
> calls. If it was negative, it could lead to memory corruption issues.
You are not fixing anything here; if the length was negative before, it
would still overflow and it would now be a huge positive value.
So you have to first find out all places where something is subtracted
from the length, and ensure it's okay or add assertions.
Then you have to check a much more important issue: places that use a
fixed-size buffer such as vhci_host_send should range check len first,
again with an assertion if needed.
Only then it makes sense to use size_t.
Paolo