From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40462)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1Vm5hT-0004kv-M8
	for qemu-devel@nongnu.org; Thu, 28 Nov 2013 12:48:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1Vm5hN-0004Jz-MJ
	for qemu-devel@nongnu.org; Thu, 28 Nov 2013 12:48:27 -0500
Received: from qmta09.emeryville.ca.mail.comcast.net ([76.96.30.96]:38255)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1Vm5hN-0004Jt-C4
	for qemu-devel@nongnu.org; Thu, 28 Nov 2013 12:48:21 -0500
Message-ID: <5297815C.7000605@redhat.com>
Date: Thu, 28 Nov 2013 10:46:04 -0700
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <1385627947-23147-1-git-send-email-hare@suse.de>
	<52974EA6.50301@suse.de>
In-Reply-To: <52974EA6.50301@suse.de>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="Xq7NvgXL7KNtRQQjwrkt9ErF3KXkGufPP"
Subject: Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?UTF-8?B?QW5kcmVhcyBGw6RyYmVy?= <afaerber@suse.de>, Hannes Reinecke <hare@suse.de>
Cc: qemu-devel@nongnu.org, Alexander Graf <agraf@suse.de>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Xq7NvgXL7KNtRQQjwrkt9ErF3KXkGufPP
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/28/2013 07:09 AM, Andreas F=C3=A4rber wrote:
> Am 28.11.2013 09:39, schrieb Hannes Reinecke:
>> strtoul(l) might overflow, in which case it'll return '-1' and set
>> the appropriate error code. So update the calls to strtoul(l) when
>> parsing hex properties to avoid silent overflows.
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---

>> +    if (val > 255) {
>> +        return -ERANGE;
>> +    }
>>      if ((*end !=3D '\0') || (end =3D=3D str)) {
>>          return -EINVAL;
>>      }
>> -
>> +    *ptr =3D val;
>>      return 0;
>>  }
>> =20
>=20
> This part looks okay to me.

Indeed.

>=20
>> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property=
 *prop, const char *str)
>>          return -EINVAL;
>>      }
>> =20
>> +    errno =3D 0;
>>      *ptr =3D strtoul(str, &end, 16);
>> +    if (errno) {
>> +        return -errno;
>> +    }
>=20
> I can image that on a 64-bit system long can be larger than 32 bits, so=

> we'll need an equivalent val > UINT32_MAX check here, I guess?

Also correct - this hunk is incomplete without a post-parse range check. =
 :(

>=20
>>      if ((*end !=3D '\0') || (end =3D=3D str)) {
>>          return -EINVAL;
>>      }
>> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property=
 *prop, const char *str)
>>          return -EINVAL;
>>      }
>> =20
>> +    errno =3D 0;
>>      *ptr =3D strtoull(str, &end, 16);
>> +    if (errno) {
>> +        return -errno;
>> +    }
>>      if ((*end !=3D '\0') || (end =3D=3D str)) {
>>          return -EINVAL;
>>      }
>=20
> Eric, do we have any size guarantee for long long or do we also need a
> symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
> 128-bit case?

I don't know of any platform with a long long greater than 64 bits, but
I also think the C99 wording is loose enough to allow such a theoretical
platform.  Personally, I'd be happy with a compile-time assertion that
validates that sizeof(unsigned long long)=3D=3Dsizeof(uint64_t), rather t=
han
writing a range limit that is in practice just dead code.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--Xq7NvgXL7KNtRQQjwrkt9ErF3KXkGufPP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJSl4FcAAoJEKeha0olJ0NqefMH+gJof/eeij2vtvr3E+qf83y0
W+UaUFa3gVp4Qmgw7QGA0fyz5cWNj1LREsb7OHKrtwqQn7AM17ilYMnLyyhEXzU8
CuMBtETEBe/V9Qg26HDo/S2BGxd0Qz8aauuWfA/p1N1UKp8yclxBq0OJY/OACjmO
EQHL0ISGomhbMR0xRJwHKhrHCk1tNKxhp7Fm2gDkC3Gxq6UOAV5htdEHFFtFvC8h
Ds83wOYIKdRLTbDpyJ3yklDduij3vTOczYgURc/AEhMQaCK8OXL0y0RDvGllxdHl
cYo8HhAD/RmBIVsy2cKfbL6xbaB9S+PFd5VIkGPXxnDgc0g3zBI+KcKPyKEhmqE=
=3Bc5
-----END PGP SIGNATURE-----

--Xq7NvgXL7KNtRQQjwrkt9ErF3KXkGufPP--