Message ID | 20111114152920.37edca6f@doriath |
---|---|
State | New |
Headers | show |
On 11/14/2011 11:29 AM, Luiz Capitulino wrote: > We don't currently check for negative enum values in qmp_output_type_enum(), > this will very likely generate a segfault when triggered. > > However, it _seems_ that no code in tree can trigger this today. > > Signed-off-by: Luiz Capitulino<lcapitulino@redhat.com> > --- > > I think it's a good idea to merge this one for 1.0, but I'd be ok to queue it > for 1.1 in case we're only merging fixes for "real" bugs. > > I found this while extending the QAPI's unit-tests... > > qapi/qmp-output-visitor.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/qapi/qmp-output-visitor.c b/qapi/qmp-output-visitor.c > index d67724e..f76d015 100644 > --- a/qapi/qmp-output-visitor.c > +++ b/qapi/qmp-output-visitor.c > @@ -190,7 +190,7 @@ static void qmp_output_type_enum(Visitor *v, int *obj, const char *strings[], > > assert(strings); > while (strings[i++] != NULL); > - if (value>= i - 1) { > + if (value< 0 || value>= i - 1) { > error_set(errp, QERR_INVALID_PARAMETER, name ? name : "null"); > return; > } Acked-by: Michael Roth <mdroth@linux.vnet.ibm.com>
diff --git a/qapi/qmp-output-visitor.c b/qapi/qmp-output-visitor.c index d67724e..f76d015 100644 --- a/qapi/qmp-output-visitor.c +++ b/qapi/qmp-output-visitor.c @@ -190,7 +190,7 @@ static void qmp_output_type_enum(Visitor *v, int *obj, const char *strings[], assert(strings); while (strings[i++] != NULL); - if (value >= i - 1) { + if (value < 0 || value >= i - 1) { error_set(errp, QERR_INVALID_PARAMETER, name ? name : "null"); return; }
We don't currently check for negative enum values in qmp_output_type_enum(), this will very likely generate a segfault when triggered. However, it _seems_ that no code in tree can trigger this today. Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com> --- I think it's a good idea to merge this one for 1.0, but I'd be ok to queue it for 1.1 in case we're only merging fixes for "real" bugs. I found this while extending the QAPI's unit-tests... qapi/qmp-output-visitor.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)