From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MXsqi-0000ZP-UO for qemu-devel@nongnu.org; Mon, 03 Aug 2009 04:24:52 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MXsqe-0000XP-Vu for qemu-devel@nongnu.org; Mon, 03 Aug 2009 04:24:52 -0400 Received: from [199.232.76.173] (port=53576 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MXsqe-0000XI-P3 for qemu-devel@nongnu.org; Mon, 03 Aug 2009 04:24:48 -0400 Received: from mx2.redhat.com ([66.187.237.31]:35079) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MXsqe-0002Od-AJ for qemu-devel@nongnu.org; Mon, 03 Aug 2009 04:24:48 -0400 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n738Olqr016442 for ; Mon, 3 Aug 2009 04:24:47 -0400 Subject: Re: [Qemu-devel] [PATCH 1/2] qdev: factor out qdev_print_devinfo. References: <1248865944-15937-1-git-send-email-kraxel@redhat.com> <87zlak7701.fsf@pike.pond.sub.org> <4A7696BE.6030100@redhat.com> From: Markus Armbruster Date: Mon, 03 Aug 2009 10:24:44 +0200 In-Reply-To: <4A7696BE.6030100@redhat.com> (Gerd Hoffmann's message of "Mon\, 03 Aug 2009 09\:50\:22 +0200") Message-ID: <8763d5i9tf.fsf@pike.pond.sub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: qemu-devel@nongnu.org Gerd Hoffmann writes: > On 08/01/09 01:44, Markus Armbruster wrote: >> Gerd Hoffmann writes: >> >>> Signed-off-by: Gerd Hoffmann >>> --- >>> hw/qdev.c | 19 ++++++++++++++++++- >>> 1 files changed, 18 insertions(+), 1 deletions(-) >>> >>> diff --git a/hw/qdev.c b/hw/qdev.c >>> index 479eb72..6f05232 100644 >>> --- a/hw/qdev.c >>> +++ b/hw/qdev.c >>> @@ -105,6 +105,21 @@ DeviceState *qdev_create(BusState *bus, const char *name) >>> return dev; >>> } >>> >>> +static int qdev_print_devinfo(DeviceInfo *info, char *dest, int len) >>> +{ >>> + int pos = 0; >>> + >>> + pos += snprintf(dest+pos, len-pos, "name \"%s\", bus %s", >>> + info->name, info->bus_info->name); >>> + if (info->alias) >>> + pos += snprintf(dest+pos, len-pos, ", alias \"%s\"", info->alias); >>> + if (info->desc) >>> + pos += snprintf(dest+pos, len-pos, ", desc \"%s\"", info->desc); >>> + if (info->no_user) >>> + pos += snprintf(dest+pos, len-pos, ", no-user"); >>> + return pos; >>> +} >>> + >> >> Isn't len-pos vulnerable to underflow here? The formal parameter type >> is size_t... >> >> [...] > > Huh? You mean you want be able to pass a buffer larger than 2^31 to > that function? > > cheers > Gerd snprintf() returns length of output. This may exceed its buffer size argument. Therefore, pos can grow beyond len, and then len-pos becomes negative. Parameter passing casts that to size_t, and snprintf() happily writes beyond the buffer.