* [Qemu-devel] [PATCHv3] qdev: Validate hex properties
@ 2013-11-28 8:39 Hannes Reinecke
2013-11-28 14:09 ` Andreas Färber
0 siblings, 1 reply; 3+ messages in thread
From: Hannes Reinecke @ 2013-11-28 8:39 UTC (permalink / raw)
To: Andreas Faerber; +Cc: Hannes Reinecke, qemu-devel, Alexander Graf
strtoul(l) might overflow, in which case it'll return '-1' and set
the appropriate error code. So update the calls to strtoul(l) when
parsing hex properties to avoid silent overflows.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
hw/core/qdev-properties.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index dc8ae69..4891a01 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -191,6 +191,7 @@ PropertyInfo qdev_prop_uint8 = {
static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
{
+ unsigned long val;
uint8_t *ptr = qdev_get_prop_ptr(dev, prop);
char *end;
@@ -198,11 +199,18 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
- *ptr = strtoul(str, &end, 16);
+ errno = 0;
+ val = strtoul(str, &end, 16);
+ if (errno) {
+ return -errno;
+ }
+ if (val > 255) {
+ return -ERANGE;
+ }
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
-
+ *ptr = val;
return 0;
}
@@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
+ errno = 0;
*ptr = strtoul(str, &end, 16);
+ if (errno) {
+ return -errno;
+ }
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
@@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
return -EINVAL;
}
+ errno = 0;
*ptr = strtoull(str, &end, 16);
+ if (errno) {
+ return -errno;
+ }
if ((*end != '\0') || (end == str)) {
return -EINVAL;
}
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
2013-11-28 8:39 [Qemu-devel] [PATCHv3] qdev: Validate hex properties Hannes Reinecke
@ 2013-11-28 14:09 ` Andreas Färber
2013-11-28 17:46 ` Eric Blake
0 siblings, 1 reply; 3+ messages in thread
From: Andreas Färber @ 2013-11-28 14:09 UTC (permalink / raw)
To: Hannes Reinecke, Eric Blake; +Cc: qemu-devel, Alexander Graf
Am 28.11.2013 09:39, schrieb Hannes Reinecke:
> strtoul(l) might overflow, in which case it'll return '-1' and set
> the appropriate error code. So update the calls to strtoul(l) when
> parsing hex properties to avoid silent overflows.
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> hw/core/qdev-properties.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index dc8ae69..4891a01 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -191,6 +191,7 @@ PropertyInfo qdev_prop_uint8 = {
>
> static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
> {
> + unsigned long val;
> uint8_t *ptr = qdev_get_prop_ptr(dev, prop);
> char *end;
>
> @@ -198,11 +199,18 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> - *ptr = strtoul(str, &end, 16);
> + errno = 0;
> + val = strtoul(str, &end, 16);
> + if (errno) {
> + return -errno;
> + }
> + if (val > 255) {
> + return -ERANGE;
> + }
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
> -
> + *ptr = val;
> return 0;
> }
>
This part looks okay to me.
> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoul(str, &end, 16);
> + if (errno) {
> + return -errno;
> + }
I can image that on a 64-bit system long can be larger than 32 bits, so
we'll need an equivalent val > UINT32_MAX check here, I guess?
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
> return -EINVAL;
> }
>
> + errno = 0;
> *ptr = strtoull(str, &end, 16);
> + if (errno) {
> + return -errno;
> + }
> if ((*end != '\0') || (end == str)) {
> return -EINVAL;
> }
Eric, do we have any size guarantee for long long or do we also need a
symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
128-bit case?
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Qemu-devel] [PATCHv3] qdev: Validate hex properties
2013-11-28 14:09 ` Andreas Färber
@ 2013-11-28 17:46 ` Eric Blake
0 siblings, 0 replies; 3+ messages in thread
From: Eric Blake @ 2013-11-28 17:46 UTC (permalink / raw)
To: Andreas Färber, Hannes Reinecke; +Cc: qemu-devel, Alexander Graf
[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]
On 11/28/2013 07:09 AM, Andreas Färber wrote:
> Am 28.11.2013 09:39, schrieb Hannes Reinecke:
>> strtoul(l) might overflow, in which case it'll return '-1' and set
>> the appropriate error code. So update the calls to strtoul(l) when
>> parsing hex properties to avoid silent overflows.
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>> + if (val > 255) {
>> + return -ERANGE;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> -
>> + *ptr = val;
>> return 0;
>> }
>>
>
> This part looks okay to me.
Indeed.
>
>> @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoul(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>
> I can image that on a 64-bit system long can be larger than 32 bits, so
> we'll need an equivalent val > UINT32_MAX check here, I guess?
Also correct - this hunk is incomplete without a post-parse range check. :(
>
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>> @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str)
>> return -EINVAL;
>> }
>>
>> + errno = 0;
>> *ptr = strtoull(str, &end, 16);
>> + if (errno) {
>> + return -errno;
>> + }
>> if ((*end != '\0') || (end == str)) {
>> return -EINVAL;
>> }
>
> Eric, do we have any size guarantee for long long or do we also need a
> symmetric if (... > UINT64_MAX) { return -ERANGE; } for the unlikely
> 128-bit case?
I don't know of any platform with a long long greater than 64 bits, but
I also think the C99 wording is loose enough to allow such a theoretical
platform. Personally, I'd be happy with a compile-time assertion that
validates that sizeof(unsigned long long)==sizeof(uint64_t), rather than
writing a range limit that is in practice just dead code.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-11-28 17:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-28 8:39 [Qemu-devel] [PATCHv3] qdev: Validate hex properties Hannes Reinecke
2013-11-28 14:09 ` Andreas Färber
2013-11-28 17:46 ` Eric Blake
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).