From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 15/27] sheepdog: Fix snapshot ID parsing in _open(), _create, _goto()
Date: Tue, 7 Mar 2017 16:40:39 +0100 [thread overview]
Message-ID: <1488901251-16214-16-git-send-email-kwolf@redhat.com> (raw)
In-Reply-To: <1488901251-16214-1-git-send-email-kwolf@redhat.com>
From: Markus Armbruster <armbru@redhat.com>
sd_parse_uri() and sd_snapshot_goto() screw up error checking after
strtoul(), and truncate long tag names silently. Fix by replacing
those parts by new sd_parse_snapid_or_tag(), which checks more
carefully.
sd_snapshot_delete() also parses snapshot IDs, but is currently too
broken for me to touch. Mark TODO.
Two calls of strtol() without error checking remain in
parse_redundancy(). Mark them FIXME.
More silent truncation of configuration strings remains elsewhere.
Not marked.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/sheepdog.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 55 insertions(+), 11 deletions(-)
diff --git a/block/sheepdog.c b/block/sheepdog.c
index 187bcd8..d3d3731 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -914,6 +914,49 @@ static int get_sheep_fd(BDRVSheepdogState *s, Error **errp)
return fd;
}
+/*
+ * Parse numeric snapshot ID in @str
+ * If @str can't be parsed as number, return false.
+ * Else, if the number is zero or too large, set *@snapid to zero and
+ * return true.
+ * Else, set *@snapid to the number and return true.
+ */
+static bool sd_parse_snapid(const char *str, uint32_t *snapid)
+{
+ unsigned long ul;
+ int ret;
+
+ ret = qemu_strtoul(str, NULL, 10, &ul);
+ if (ret == -ERANGE) {
+ ul = ret = 0;
+ }
+ if (ret) {
+ return false;
+ }
+ if (ul > UINT32_MAX) {
+ ul = 0;
+ }
+
+ *snapid = ul;
+ return true;
+}
+
+static bool sd_parse_snapid_or_tag(const char *str,
+ uint32_t *snapid, char tag[])
+{
+ if (!sd_parse_snapid(str, snapid)) {
+ *snapid = 0;
+ if (g_strlcpy(tag, str, SD_MAX_VDI_TAG_LEN) >= SD_MAX_VDI_TAG_LEN) {
+ return false;
+ }
+ } else if (!*snapid) {
+ return false;
+ } else {
+ tag[0] = 0;
+ }
+ return true;
+}
+
static int sd_parse_uri(BDRVSheepdogState *s, const char *filename,
char *vdi, uint32_t *snapid, char *tag)
{
@@ -965,9 +1008,9 @@ static int sd_parse_uri(BDRVSheepdogState *s, const char *filename,
/* snapshot tag */
if (uri->fragment) {
- *snapid = strtoul(uri->fragment, NULL, 10);
- if (*snapid == 0) {
- pstrcpy(tag, SD_MAX_VDI_TAG_LEN, uri->fragment);
+ if (!sd_parse_snapid_or_tag(uri->fragment, snapid, tag)) {
+ ret = -EINVAL;
+ goto out;
}
} else {
*snapid = CURRENT_VDI_ID; /* search current vdi */
@@ -1685,6 +1728,7 @@ static int parse_redundancy(BDRVSheepdogState *s, const char *opt)
}
copy = strtol(n1, NULL, 10);
+ /* FIXME fix error checking by switching to qemu_strtol() */
if (copy > SD_MAX_COPIES || copy < 1) {
return -EINVAL;
}
@@ -1699,6 +1743,7 @@ static int parse_redundancy(BDRVSheepdogState *s, const char *opt)
}
parity = strtol(n2, NULL, 10);
+ /* FIXME fix error checking by switching to qemu_strtol() */
if (parity >= SD_EC_MAX_STRIP || parity < 1) {
return -EINVAL;
}
@@ -2365,19 +2410,16 @@ static int sd_snapshot_goto(BlockDriverState *bs, const char *snapshot_id)
BDRVSheepdogState *old_s;
char tag[SD_MAX_VDI_TAG_LEN];
uint32_t snapid = 0;
- int ret = 0;
+ int ret;
+
+ if (!sd_parse_snapid_or_tag(snapshot_id, &snapid, tag)) {
+ return -EINVAL;
+ }
old_s = g_new(BDRVSheepdogState, 1);
memcpy(old_s, s, sizeof(BDRVSheepdogState));
- snapid = strtoul(snapshot_id, NULL, 10);
- if (snapid) {
- tag[0] = 0;
- } else {
- pstrcpy(tag, sizeof(tag), snapshot_id);
- }
-
ret = reload_inode(s, snapid, tag);
if (ret) {
goto out;
@@ -2483,6 +2525,7 @@ static int sd_snapshot_delete(BlockDriverState *bs,
memset(buf, 0, sizeof(buf));
memset(snap_tag, 0, sizeof(snap_tag));
pstrcpy(buf, SD_MAX_VDI_LEN, s->name);
+ /* TODO Use sd_parse_snapid() once this mess is cleaned up */
ret = qemu_strtoul(snapshot_id, NULL, 10, &snap_id);
if (ret || snap_id > UINT32_MAX) {
/*
@@ -2499,6 +2542,7 @@ static int sd_snapshot_delete(BlockDriverState *bs,
hdr.snapid = (uint32_t) snap_id;
} else {
/* FIXME I suspect we should use @name here */
+ /* FIXME don't truncate silently */
pstrcpy(snap_tag, sizeof(snap_tag), snapshot_id);
pstrcpy(buf + SD_MAX_VDI_LEN, SD_MAX_VDI_TAG_LEN, snap_tag);
}
--
1.8.3.1
next prev parent reply other threads:[~2017-03-07 15:41 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-07 15:40 [Qemu-devel] [PULL 00/27] Block layer fixes for 2.9.0-rc0 Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 01/27] commit: Fix error handling Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 02/27] mirror: Fix permission problem with 'replaces' Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 03/27] mirror: Fix permissions for removing mirror_top_bs Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 04/27] mirror: Fix error path for dirty bitmap creation Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 05/27] block: Fix blockdev-snapshot error handling Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 06/27] block: Factor out should_update_child() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 07/27] block: Factor out bdrv_replace_child_noperm() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 08/27] block: Ignore multiple children in bdrv_check_update_perm() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 09/27] block: Handle permission errors in change_parent_backing_link() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 10/27] block: Fix error handling in bdrv_replace_in_backing_chain() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 11/27] sheepdog: Defuse time bomb in sd_open() error handling Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 12/27] sheepdog: Fix error handling in sd_snapshot_delete() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 13/27] sheepdog: Fix error handling sd_create() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 14/27] sheepdog: Mark sd_snapshot_delete() lossage FIXME Kevin Wolf
2017-03-07 15:40 ` Kevin Wolf [this message]
2017-03-07 15:40 ` [Qemu-devel] [PULL 16/27] sheepdog: Don't truncate long VDI name in _open(), _create() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 17/27] sheepdog: Report errors in pseudo-filename more usefully Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 18/27] sheepdog: Use SocketAddress and socket_connect() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 19/27] sheepdog: Implement bdrv_parse_filename() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 20/27] gluster: Drop assumptions on SocketTransport names Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 21/27] gluster: Don't duplicate qapi-util.c's qapi_enum_parse() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 22/27] gluster: Plug memory leaks in qemu_gluster_parse_json() Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 23/27] qapi-schema: Rename GlusterServer to SocketAddressFlat Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 24/27] qapi-schema: Rename SocketAddressFlat's variant tcp to inet Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 25/27] sheepdog: Support blockdev-add Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 26/27] block: Don't use error_abort in blk_new_open Kevin Wolf
2017-03-07 15:40 ` [Qemu-devel] [PULL 27/27] commit: Don't use error_abort in commit_start Kevin Wolf
2017-03-08 14:49 ` [Qemu-devel] [PULL 00/27] Block layer fixes for 2.9.0-rc0 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488901251-16214-16-git-send-email-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).