| Message ID | 1385538775-4208-1-git-send-email-hare@suse.de |
|---|---|
| State | New |
| Headers | show |
Am 27.11.2013 08:52, schrieb Hannes Reinecke: > strtoul(l) might overflow, in which case it'll return '-1' and set > the appropriate error code. So update the calls to strtoul(l) when > parsing hex properties to avoid silent overflows. > > Cc: Peter Maydell <peter.maydell@linaro.org> > Cc: Eric Blake <eblake@redhat.com> > Signed-off-by: Hannes Reinecke <hare@suse.de> > --- > hw/core/qdev-properties.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c > index dc8ae69..5a94c04 100644 > --- a/hw/core/qdev-properties.c > +++ b/hw/core/qdev-properties.c > @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str) > return -EINVAL; > } > > + errno = 0; > *ptr = strtoul(str, &end, 16); > + if (errno) > + return -errno; > if ((*end != '\0') || (end == str)) { > return -EINVAL; > } Thanks, this seems to match the requested logic. But please run checkpatch.pl and add the missing braces. I'll queue it then. Please add Cc: qemu-stable@nongnu.org to the commit message while at it since this seems a bug fix that spans multiple releases. Regards, Andreas > @@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str) > return -EINVAL; > } > > + errno = 0; > *ptr = strtoul(str, &end, 16); > + if (errno) > + return -errno; > if ((*end != '\0') || (end == str)) { > return -EINVAL; > } > @@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str) > return -EINVAL; > } > > + errno = 0; > *ptr = strtoull(str, &end, 16); > + if (errno) > + return -errno; > if ((*end != '\0') || (end == str)) { > return -EINVAL; > } >
On 11/27/2013 12:52 AM, Hannes Reinecke wrote: > strtoul(l) might overflow, in which case it'll return '-1' and set > the appropriate error code. So update the calls to strtoul(l) when > parsing hex properties to avoid silent overflows. > > Cc: Peter Maydell <peter.maydell@linaro.org> > Cc: Eric Blake <eblake@redhat.com> > Signed-off-by: Hannes Reinecke <hare@suse.de> > --- > hw/core/qdev-properties.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c > index dc8ae69..5a94c04 100644 > --- a/hw/core/qdev-properties.c > +++ b/hw/core/qdev-properties.c > @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str) > return -EINVAL; > } > > + errno = 0; > *ptr = strtoul(str, &end, 16); > + if (errno) > + return -errno; > if ((*end != '\0') || (end == str)) { > return -EINVAL; > } Still incomplete. You still have silent overflows. Consider a string of "0x100". strtoul() does not set errno, but *ptr is set to 0 because 0x100 is bigger than a uint8_t. You HAVE to parse the results into an unsigned long, then manually check that the resulting unsigned long value does not overflow *ptr.
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c index dc8ae69..5a94c04 100644 --- a/hw/core/qdev-properties.c +++ b/hw/core/qdev-properties.c @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } + errno = 0; *ptr = strtoul(str, &end, 16); + if (errno) + return -errno; if ((*end != '\0') || (end == str)) { return -EINVAL; } @@ -329,7 +332,10 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } + errno = 0; *ptr = strtoul(str, &end, 16); + if (errno) + return -errno; if ((*end != '\0') || (end == str)) { return -EINVAL; } @@ -396,7 +402,10 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } + errno = 0; *ptr = strtoull(str, &end, 16); + if (errno) + return -errno; if ((*end != '\0') || (end == str)) { return -EINVAL; }
strtoul(l) might overflow, in which case it'll return '-1' and set the appropriate error code. So update the calls to strtoul(l) when parsing hex properties to avoid silent overflows. Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Eric Blake <eblake@redhat.com> Signed-off-by: Hannes Reinecke <hare@suse.de> --- hw/core/qdev-properties.c | 9 +++++++++ 1 file changed, 9 insertions(+)