From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47226)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1WYAI7-0005Mg-JE
	for qemu-devel@nongnu.org; Thu, 10 Apr 2014 04:25:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1WYAHz-0003Jq-08
	for qemu-devel@nongnu.org; Thu, 10 Apr 2014 04:24:59 -0400
Received: from mx1.redhat.com ([209.132.183.28]:22841)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1WYAHy-0003Jg-OQ
	for qemu-devel@nongnu.org; Thu, 10 Apr 2014 04:24:50 -0400
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3A8OnnC008284
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK)
	for <qemu-devel@nongnu.org>; Thu, 10 Apr 2014 04:24:50 -0400
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-60.ams2.redhat.com
	[10.36.116.60])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s3A8OlIR005705
	for <qemu-devel@nongnu.org>; Thu, 10 Apr 2014 04:24:49 -0400
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 10 Apr 2014 10:24:30 +0200
Message-Id: <1397118285-11715-2-git-send-email-lersek@redhat.com>
In-Reply-To: <1397118285-11715-1-git-send-email-lersek@redhat.com>
References: <1397118285-11715-1-git-send-email-lersek@redhat.com>
Subject: [Qemu-devel] [PATCH 01/16] cutils: tighten qemu_parse_fd()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

qemu_parse_fd() used to handle at least the following strings incorrectly:
o "-2":         simply let through
o "2147483648": returned as LONG_MAX==INT_MAX on ILP32 (with ERANGE
                ignored); implementation-defined behavior on LP64

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 util/cutils.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/util/cutils.c b/util/cutils.c
index b337293..dbe7412 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -22,10 +22,12 @@
  * THE SOFTWARE.
  */
 #include "qemu-common.h"
 #include "qemu/host-utils.h"
 #include <math.h>
+#include <limits.h>
+#include <errno.h>
 
 #include "qemu/sockets.h"
 #include "qemu/iov.h"
 #include "net/net.h"
 
@@ -455,15 +457,20 @@ int parse_uint_full(const char *s, unsigned long long *value, int base)
     return 0;
 }
 
 int qemu_parse_fd(const char *param)
 {
-    int fd;
-    char *endptr = NULL;
+    long fd;
+    char *endptr;
 
+    errno = 0;
     fd = strtol(param, &endptr, 10);
-    if (*endptr || (fd == 0 && param == endptr)) {
+    if (param == endptr /* no conversion performed */                    ||
+        errno != 0      /* not representable as long; possibly others */ ||
+        *endptr != '\0' /* final string not empty */                     ||
+        fd < 0          /* invalid as file descriptor */                 ||
+        fd > INT_MAX    /* not representable as int */) {
         return -1;
     }
     return fd;
 }
 
-- 
1.8.3.1