From: Eric Blake <eblake@redhat.com>
To: "Andreas Färber" <afaerber@suse.de>, "Hannes Reinecke" <hare@suse.de>
Cc: qemu-devel@nongnu.org, Alexander Graf <agraf@suse.de>
Subject: Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
Date: Thu, 28 Nov 2013 10:46:04 -0700 [thread overview]
Message-ID: <5297815C.7000605@redhat.com> (raw)
In-Reply-To: <52974EA6.50301@suse.de>
[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]
On 11/28/2013 07:09 AM, Andreas Färber wrote:
> Am 28.11.2013 09:39, schrieb Hannes Reinecke:
>> strtoul(l) might overflow, in which case it'll return '-1' and set
>> the appropriate error code. So update the calls to strtoul(l) when
>> parsing hex properties to avoid silent overflows.
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>> + if (val > 255) {
>> + return -ERANGE;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> -
>> + *ptr = val;
>> return 0;
>> }
>>
>
> This part looks okay to me.
Indeed.
>
>> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoul(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>
> I can image that on a 64-bit system long can be larger than 32 bits, so
> we'll need an equivalent val > UINT32_MAX check here, I guess?
Also correct - this hunk is incomplete without a post-parse range check. :(
>
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoull(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>
> Eric, do we have any size guarantee for long long or do we also need a
> symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
> 128-bit case?
I don't know of any platform with a long long greater than 64 bits, but
I also think the C99 wording is loose enough to allow such a theoretical
platform. Personally, I'd be happy with a compile-time assertion that
validates that sizeof(unsigned long long)==sizeof(uint64_t), rather than
writing a range limit that is in practice just dead code.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
prev parent reply other threads:[~2013-11-28 17:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-28 8:39 [Qemu-devel] [PATCHv3] qdev: Validate hex properties Hannes Reinecke
2013-11-28 14:09 ` Andreas Färber
2013-11-28 17:46 ` Eric Blake [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5297815C.7000605@redhat.com \
--to=eblake@redhat.com \
--cc=afaerber@suse.de \
--cc=agraf@suse.de \
--cc=hare@suse.de \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).