[Qemu-devel] [PATCHv2] qdev: Validate hex properties

[Qemu-devel] [PATCHv2] qdev: Validate hex properties

[Hannes Reinecke]

strtoul(l) might overflow, in which case it'll return '-1' and set
the appropriate error code. So update the calls to strtoul(l) when
parsing hex properties to avoid silent overflows.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Eric Blake <eblake@redhat.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 hw/core/qdev-properties.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index dc8ae69..5a94c04 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
         return -EINVAL;
     }
 
+    errno = 0;
     *ptr = strtoul(str, &end, 16);
+    if (errno)
+        return -errno;
     if ((*end != '\0') || (end == str)) {
         return -EINVAL;
     }
@@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
         return -EINVAL;
     }
 
+    errno = 0;
     *ptr = strtoul(str, &end, 16);
+    if (errno)
+        return -errno;
     if ((*end != '\0') || (end == str)) {
         return -EINVAL;
     }
@@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
         return -EINVAL;
     }
 
+    errno = 0;
     *ptr = strtoull(str, &end, 16);
+    if (errno)
+        return -errno;
     if ((*end != '\0') || (end == str)) {
         return -EINVAL;
     }
-- 
1.8.1.4

Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties

[Andreas Färber]

Am 27.11.2013 08:52, schrieb Hannes Reinecke:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
> 
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Eric Blake <eblake@redhat.com>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
>  hw/core/qdev-properties.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5a94c04 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
>          return -EINVAL;
>      }
>  
> +    errno = 0;
>      *ptr = strtoul(str, &end, 16);
> +    if (errno)
> +        return -errno;
>      if ((*end != '\0') || (end == str)) {
>          return -EINVAL;
>      }

Thanks, this seems to match the requested logic. But please run
checkpatch.pl and add the missing braces. I'll queue it then.

Please add Cc: qemu-stable@nongnu.org to the commit message while at it
since this seems a bug fix that spans multiple releases.

Regards,
Andreas

> @@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
>          return -EINVAL;
>      }
>  
> +    errno = 0;
>      *ptr = strtoul(str, &end, 16);
> +    if (errno)
> +        return -errno;
>      if ((*end != '\0') || (end == str)) {
>          return -EINVAL;
>      }
> @@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
>          return -EINVAL;
>      }
>  
> +    errno = 0;
>      *ptr = strtoull(str, &end, 16);
> +    if (errno)
> +        return -errno;
>      if ((*end != '\0') || (end == str)) {
>          return -EINVAL;
>      }
> 


-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 1401 bytes --]

On 11/27/2013 12:52 AM, Hannes Reinecke wrote:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
> 
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Eric Blake <eblake@redhat.com>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
>  hw/core/qdev-properties.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5a94c04 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
>          return -EINVAL;
>      }
>  
> +    errno = 0;
>      *ptr = strtoul(str, &end, 16);
> +    if (errno)
> +        return -errno;
>      if ((*end != '\0') || (end == str)) {
>          return -EINVAL;
>      }

Still incomplete. You still have silent overflows.  Consider a string of
"0x100".  strtoul() does not set errno, but *ptr is set to 0 because
0x100 is bigger than a uint8_t.  You HAVE to parse the results into an
unsigned long, then manually check that the resulting unsigned long
value does not overflow *ptr.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]