Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties

From:	Eric Blake
Subject:	Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
Date:	Thu, 28 Nov 2013 10:46:04 -0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

On 11/28/2013 07:09 AM, Andreas Färber wrote:
> Am 28.11.2013 09:39, schrieb Hannes Reinecke:
>> strtoul(l) might overflow, in which case it'll return '-1' and set
>> the appropriate error code. So update the calls to strtoul(l) when
>> parsing hex properties to avoid silent overflows.
>>
>> Signed-off-by: Hannes Reinecke <address@hidden>
>> ---

>> +    if (val > 255) {
>> +        return -ERANGE;
>> +    }
>>      if ((*end != '\0') || (end == str)) {
>>          return -EINVAL;
>>      }
>> -
>> +    *ptr = val;
>>      return 0;
>>  }
>>  
> 
> This part looks okay to me.

Indeed.

> 
>> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property 
>> *prop, const char *str)
>>          return -EINVAL;
>>      }
>>  
>> +    errno = 0;
>>      *ptr = strtoul(str, &end, 16);
>> +    if (errno) {
>> +        return -errno;
>> +    }
> 
> I can image that on a 64-bit system long can be larger than 32 bits, so
> we'll need an equivalent val > UINT32_MAX check here, I guess?

Also correct - this hunk is incomplete without a post-parse range check.  :(

> 
>>      if ((*end != '\0') || (end == str)) {
>>          return -EINVAL;
>>      }
>> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property 
>> *prop, const char *str)
>>          return -EINVAL;
>>      }
>>  
>> +    errno = 0;
>>      *ptr = strtoull(str, &end, 16);
>> +    if (errno) {
>> +        return -errno;
>> +    }
>>      if ((*end != '\0') || (end == str)) {
>>          return -EINVAL;
>>      }
> 
> Eric, do we have any size guarantee for long long or do we also need a
> symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
> 128-bit case?

I don't know of any platform with a long long greater than 64 bits, but
I also think the C99 wording is loose enough to allow such a theoretical
platform.  Personally, I'd be happy with a compile-time assertion that
validates that sizeof(unsigned long long)==sizeof(uint64_t), rather than
writing a range limit that is in practice just dead code.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCHv3] qdev: Validate hex properties, Hannes Reinecke, 2013/11/28
- Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties, Andreas Färber, 2013/11/28
  - Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties, Eric Blake <=

Prev by Date: Re: [Qemu-devel] [RFC PATCH v3 01/10] hw: arm_gic: Fix gic_set_irq handling
Next by Date: Re: [Qemu-devel] [RFC PATCH v3 09/10] arm_gic: Add GICC_APRn state to the GICState
Previous by thread: Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
Next by thread: [Qemu-devel] [PATCH v6 00/10] Drop in_use from BlockDriverState and enable point-in-time snapshot exporting over NBD
Index(es):
- Date
- Thread