* [Qemu-devel] [PATCHv2] qdev: Validate hex properties
@ 2013-11-27 7:52 Hannes Reinecke
2013-11-27 9:35 ` Andreas Färber
2013-11-27 12:48 ` Eric Blake
0 siblings, 2 replies; 3+ messages in thread
From: Hannes Reinecke @ 2013-11-27 7:52 UTC (permalink / raw)
To: Andreas Faerber
Cc: Peter Maydell, Hannes Reinecke, qemu-devel, Alexander Graf
strtoul(l) might overflow, in which case it'll return '-1' and set
the appropriate error code. So update the calls to strtoul(l) when
parsing hex properties to avoid silent overflows.
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Eric Blake <eblake@redhat.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
hw/core/qdev-properties.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index dc8ae69..5a94c04 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
+ errno = 0;
*ptr = strtoul(str, &end, 16);
+ if (errno)
+ return -errno;
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
@@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
+ errno = 0;
*ptr = strtoul(str, &end, 16);
+ if (errno)
+ return -errno;
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
@@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
+ errno = 0;
*ptr = strtoull(str, &end, 16);
+ if (errno)
+ return -errno;
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties
2013-11-27 7:52 [Qemu-devel] [PATCHv2] qdev: Validate hex properties Hannes Reinecke
@ 2013-11-27 9:35 ` Andreas Färber
2013-11-27 12:48 ` Eric Blake
1 sibling, 0 replies; 3+ messages in thread
From: Andreas Färber @ 2013-11-27 9:35 UTC (permalink / raw)
To: Hannes Reinecke; +Cc: Peter Maydell, qemu-devel, Alexander Graf
Am 27.11.2013 08:52, schrieb Hannes Reinecke:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Eric Blake <eblake@redhat.com>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> hw/core/qdev-properties.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5a94c04 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoul(str, &end, 16);
> + if (errno)
> + return -errno;
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
Thanks, this seems to match the requested logic. But please run
checkpatch.pl and add the missing braces. I'll queue it then.
Please add Cc: qemu-stable@nongnu.org to the commit message while at it
since this seems a bug fix that spans multiple releases.
Regards,
Andreas
> @@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoul(str, &end, 16);
> + if (errno)
> + return -errno;
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
> @@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoull(str, &end, 16);
> + if (errno)
> + return -errno;
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
>
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties
2013-11-27 7:52 [Qemu-devel] [PATCHv2] qdev: Validate hex properties Hannes Reinecke
2013-11-27 9:35 ` Andreas Färber
@ 2013-11-27 12:48 ` Eric Blake
1 sibling, 0 replies; 3+ messages in thread
From: Eric Blake @ 2013-11-27 12:48 UTC (permalink / raw)
To: Hannes Reinecke, Andreas Faerber
Cc: Peter Maydell, qemu-devel, Alexander Graf
[-- Attachment #1: Type: text/plain, Size: 1401 bytes --]
On 11/27/2013 12:52 AM, Hannes Reinecke wrote:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Eric Blake <eblake@redhat.com>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> hw/core/qdev-properties.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5a94c04 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoul(str, &end, 16);
> + if (errno)
> + return -errno;
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
Still incomplete. You still have silent overflows. Consider a string of
"0x100". strtoul() does not set errno, but *ptr is set to 0 because
0x100 is bigger than a uint8_t. You HAVE to parse the results into an
unsigned long, then manually check that the resulting unsigned long
value does not overflow *ptr.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-11-27 12:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-27 7:52 [Qemu-devel] [PATCHv2] qdev: Validate hex properties Hannes Reinecke
2013-11-27 9:35 ` Andreas Färber
2013-11-27 12:48 ` Eric Blake
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.