From: Eric Blake <eblake@redhat.com>
To: "Andreas Färber" <afaerber@suse.de>, "Hannes Reinecke" <hare@suse.de>
Cc: qemu-devel@nongnu.org, Alexander Graf <agraf@suse.de>
Subject: Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
Date: Thu, 28 Nov 2013 10:46:04 -0700 [thread overview]
Message-ID: <5297815C.7000605@redhat.com> (raw)
In-Reply-To: <52974EA6.50301@suse.de>
[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]
On 11/28/2013 07:09 AM, Andreas Färber wrote:
> Am 28.11.2013 09:39, schrieb Hannes Reinecke:
>> strtoul(l) might overflow, in which case it'll return '-1' and set
>> the appropriate error code. So update the calls to strtoul(l) when
>> parsing hex properties to avoid silent overflows.
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>> + if (val > 255) {
>> + return -ERANGE;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> -
>> + *ptr = val;
>> return 0;
>> }
>>
>
> This part looks okay to me.
Indeed.
>
>> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoul(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>
> I can image that on a 64-bit system long can be larger than 32 bits, so
> we'll need an equivalent val > UINT32_MAX check here, I guess?
Also correct - this hunk is incomplete without a post-parse range check. :(
>
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoull(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>
> Eric, do we have any size guarantee for long long or do we also need a
> symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
> 128-bit case?
I don't know of any platform with a long long greater than 64 bits, but
I also think the C99 wording is loose enough to allow such a theoretical
platform. Personally, I'd be happy with a compile-time assertion that
validates that sizeof(unsigned long long)==sizeof(uint64_t), rather than
writing a range limit that is in practice just dead code.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
prev parent reply other threads:[~2013-11-28 17:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-28 8:39 [Qemu-devel] [PATCHv3] qdev: Validate hex properties Hannes Reinecke
2013-11-28 14:09 ` Andreas Färber
2013-11-28 17:46 ` Eric Blake [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5297815C.7000605@redhat.com \
--to=eblake@redhat.com \
--cc=afaerber@suse.de \
--cc=agraf@suse.de \
--cc=hare@suse.de \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.