From: "Alex Bennée" <alex.bennee@linaro.org>
To: zhanghailiang <zhang.zhanghailiang@huawei.com>
Cc: qemu-devel@nongnu.org, qemu-trivial@nongnu.org, mjt@tls.msk.ru,
peter.huangpeng@huawei.com, armbru@redhat.com, kraxel@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 1/5] qemu-char: fix parameter check in some qemu_chr_parse_* functions
Date: Tue, 04 Nov 2014 13:25:31 +0000 [thread overview]
Message-ID: <874mufumgk.fsf@linaro.org> (raw)
In-Reply-To: <1415098223-32404-2-git-send-email-zhang.zhanghailiang@huawei.com>
zhanghailiang <zhang.zhanghailiang@huawei.com> writes:
> For some qemu_chr_parse_* functions, we just check whether the parameter
> is NULL or not, but do not check if it is empty.
>
> For example:
> qemu-system-x86_64 -chardev pipe,id=id,path=
> It will pass the check of NULL but will not find the error until
> trying to open it, while essentially missing and empty parameter
> is the same thing.
>
> So check the parameters for emptiness too, and avoid emptiness
> check at open time.
>
> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> ---
> qemu-char.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/qemu-char.c b/qemu-char.c
> index bd0709b..a09bbf6 100644
> --- a/qemu-char.c
> +++ b/qemu-char.c
> @@ -1084,11 +1084,6 @@ static CharDriverState *qemu_chr_open_pipe(ChardevHostdev *opts)
> char filename_out[CHR_MAX_FILENAME_SIZE];
> const char *filename = opts->device;
>
> - if (filename == NULL) {
> - fprintf(stderr, "chardev: pipe: no filename given\n");
> - return NULL;
> - }
> -
You seem to have dropped a check here, are you sure all avenues into
this code have validated filename? What if a new function gets added?
At a minimum I'd replace it with a g_assert(filename) to make the
calling contract clear.
> snprintf(filename_in, CHR_MAX_FILENAME_SIZE, "%s.in", filename);
> snprintf(filename_out, CHR_MAX_FILENAME_SIZE, "%s.out",
> filename);
We'll probably end up with "(null).in" as the filename which may be
exploitation vector.
> TFR(fd_in = qemu_open(filename_in, O_RDWR | O_BINARY));
> @@ -3419,7 +3414,7 @@ static void qemu_chr_parse_file_out(QemuOpts *opts, ChardevBackend *backend,
> {
> const char *path = qemu_opt_get(opts, "path");
>
> - if (path == NULL) {
> + if (path == NULL || !path[0]) {
> error_setg(errp, "chardev: file: no filename given");
> return;
> }
> @@ -3453,7 +3448,7 @@ static void qemu_chr_parse_parallel(QemuOpts *opts, ChardevBackend *backend,
> {
> const char *device = qemu_opt_get(opts, "path");
>
> - if (device == NULL) {
> + if (device == NULL || !device[0]) {
> error_setg(errp, "chardev: parallel: no device path given");
> return;
> }
> @@ -3466,7 +3461,7 @@ static void qemu_chr_parse_pipe(QemuOpts *opts, ChardevBackend *backend,
> {
> const char *device = qemu_opt_get(opts, "path");
>
> - if (device == NULL) {
> + if (device == NULL || !device[0]) {
> error_setg(errp, "chardev: pipe: no device path given");
> return;
> }
> @@ -3515,11 +3510,11 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
> SocketAddress *addr;
>
> if (!path) {
> - if (!host) {
> + if (!host || !host[0]) {
> error_setg(errp, "chardev: socket: no host given");
> return;
> }
> - if (!port) {
> + if (!port || !port[0]) {
> error_setg(errp, "chardev: socket: no port given");
> return;
> }
All this boilerplate checking makes me think that either the qemu_opt
machinery should be ensuring we get a valid option string?
--
Alex Bennée
next prev parent reply other threads:[~2014-11-04 13:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-04 10:50 [Qemu-devel] [PATCH v3 0/5] Trivial patch about qemu-char zhanghailiang
2014-11-04 10:50 ` [Qemu-devel] [PATCH v3 1/5] qemu-char: fix parameter check in some qemu_chr_parse_* functions zhanghailiang
2014-11-04 13:25 ` Alex Bennée [this message]
2014-11-05 7:05 ` [Qemu-devel] [Qemu-trivial] " Michael Tokarev
2014-11-05 12:19 ` zhanghailiang
2014-11-05 13:28 ` Alex Bennée
2014-11-04 10:50 ` [Qemu-devel] [PATCH v3 2/5] spice-qemu-char: fix parameter checks in " zhanghailiang
2014-11-04 13:27 ` Alex Bennée
2014-11-04 10:50 ` [Qemu-devel] [PATCH v3 3/5] qemu-char: fix incorrect state in error message zhanghailiang
2014-11-04 13:31 ` Alex Bennée
2014-11-05 7:08 ` [Qemu-devel] [Qemu-trivial] " Michael Tokarev
2014-11-04 10:50 ` [Qemu-devel] [PATCH v3 4/5] qemu-char: convert some open functions to use Error API zhanghailiang
2014-11-04 13:39 ` Alex Bennée
2014-11-05 7:15 ` [Qemu-devel] [Qemu-trivial] " Michael Tokarev
2014-11-05 9:08 ` Markus Armbruster
2014-11-04 10:50 ` [Qemu-devel] [PATCH v3 5/5] spice-qemu-char: convert some " zhanghailiang
2014-11-04 13:41 ` Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874mufumgk.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=armbru@redhat.com \
--cc=kraxel@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=peter.huangpeng@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=zhang.zhanghailiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).