From: Eric Blake <eblake@redhat.com>
To: Hannes Reinecke <hare@suse.de>, Andreas Faerber <afaerber@suse.de>
Cc: qemu-devel@nongnu.org, Alexander Graf <agraf@suse.de>
Subject: Re: [Qemu-devel] [PATCH] qdev: Validate hex properties
Date: Tue, 26 Nov 2013 08:15:27 -0700 [thread overview]
Message-ID: <5294BB0F.1000805@redhat.com> (raw)
In-Reply-To: <1385478338-27433-1-git-send-email-hare@suse.de>
[-- Attachment #1: Type: text/plain, Size: 1922 bytes --]
On 11/26/2013 08:05 AM, Hannes Reinecke wrote:
> strtoull() might return '-1' to signify an overflow.
Yes, but -1 (aka ULLONG_MAX) is also a valid return when there is not
overflow, so testing for -1 is NOT a reliable indicator on whether
overflow occurred. Also, you mention strtoull() here...
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> hw/core/qdev-properties.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..5761295 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -202,6 +202,9 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
> if ((*end != '\0') || (end == str)) {
...but this was calling strtoul().
> return -EINVAL;
> }
> + if (*ptr == (uint8_t)-1) {
> + return -ERANGE;
> + }
NAK. This is NOT how you check for overflow with strtoull. Instead,
you should use:
errno = 0;
*ptr = strtoul(str, &end, 16);
if (errno) {
return -errno;
}
if (!*end || end == str) {
return -EINVAL;
}
return 0;
>
> return 0;
> }
> @@ -333,6 +336,9 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
> + if (*ptr == (uint32_t)-1) {
> + return -ERANGE;
> + }
NAK. And this function is even MORE broken. On a 32-bit platform,
assigning the results of strtol() into a uint32_t may result in silent
truncation. If you are trying to detect overflow, you MUST assign the
results into a long, then check that the long does not overflow
uint32_t, rather than checking (too late) whether the uint32_t has
already been overflowed.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
prev parent reply other threads:[~2013-11-26 15:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-26 15:05 [Qemu-devel] [PATCH] qdev: Validate hex properties Hannes Reinecke
2013-11-26 15:15 ` Peter Maydell
2013-11-26 15:15 ` Eric Blake [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5294BB0F.1000805@redhat.com \
--to=eblake@redhat.com \
--cc=afaerber@suse.de \
--cc=agraf@suse.de \
--cc=hare@suse.de \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.