From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53835) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VleXo-00078z-2L for qemu-devel@nongnu.org; Wed, 27 Nov 2013 07:48:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VleXh-0003Np-Pq for qemu-devel@nongnu.org; Wed, 27 Nov 2013 07:48:40 -0500 Received: from mx1.redhat.com ([209.132.183.28]:8359) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VleXh-0003Hs-Hd for qemu-devel@nongnu.org; Wed, 27 Nov 2013 07:48:33 -0500 Message-ID: <5295EA1A.9040407@redhat.com> Date: Wed, 27 Nov 2013 05:48:26 -0700 From: Eric Blake MIME-Version: 1.0 References: <1385538775-4208-1-git-send-email-hare@suse.de> In-Reply-To: <1385538775-4208-1-git-send-email-hare@suse.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0QfBjf13Tgcs69GFsxSpSJ0LMemajvNht" Subject: Re: [Qemu-devel] [PATCHv2] qdev: Validate hex properties List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Hannes Reinecke , Andreas Faerber Cc: Peter Maydell , qemu-devel@nongnu.org, Alexander Graf This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0QfBjf13Tgcs69GFsxSpSJ0LMemajvNht Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/27/2013 12:52 AM, Hannes Reinecke wrote: > strtoul(l) might overflow, in which case it'll return '-1' and set > the appropriate error code. So update the calls to strtoul(l) when > parsing hex properties to avoid silent overflows. >=20 > Cc: Peter Maydell > Cc: Eric Blake > Signed-off-by: Hannes Reinecke > --- > hw/core/qdev-properties.c | 9 +++++++++ > 1 file changed, 9 insertions(+) >=20 > diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c > index dc8ae69..5a94c04 100644 > --- a/hw/core/qdev-properties.c > +++ b/hw/core/qdev-properties.c > @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *= prop, const char *str) > return -EINVAL; > } > =20 > + errno =3D 0; > *ptr =3D strtoul(str, &end, 16); > + if (errno) > + return -errno; > if ((*end !=3D '\0') || (end =3D=3D str)) { > return -EINVAL; > } Still incomplete. You still have silent overflows. Consider a string of "0x100". strtoul() does not set errno, but *ptr is set to 0 because 0x100 is bigger than a uint8_t. You HAVE to parse the results into an unsigned long, then manually check that the resulting unsigned long value does not overflow *ptr. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --0QfBjf13Tgcs69GFsxSpSJ0LMemajvNht Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSleoaAAoJEKeha0olJ0Nqi+cH/A4tzI0CQu8beblmSUP8ghwF a1B2WIf5m1oJMIm/irx0sPYHDF8ZjpelkJWcamOH1iNT5BIrBsyc/tuZE0ODE/yz 62P7tlda+YDu1A6FQw62mkFmpc6HJT72CP5LXLxbm5lTjU1fcj3T2PMrbyDN6g/n 6XYyi9FgAwCaAcf6U0qOZnjufZnf/8QteqLIsIRGvSGmlowiqrYwW8tNKJf447C4 HC3VrmA3Un9wmvwYa6gf/if2zrUnbgkV5tbJsIv42rEfYFmJ5fJFalDxUfOzrgV/ wG89Y1qoCgq6ZKPcuMOjmtDnt2qnX+hLRXf58xQqpmyQg/gEn8DMemBBh6RDaiY= =MTyS -----END PGP SIGNATURE----- --0QfBjf13Tgcs69GFsxSpSJ0LMemajvNht--