On 11/27/2013 12:52 AM, Hannes Reinecke wrote: > strtoul(l) might overflow, in which case it'll return '-1' and set > the appropriate error code. So update the calls to strtoul(l) when > parsing hex properties to avoid silent overflows. > > Cc: Peter Maydell <peter.mayd...@linaro.org> > Cc: Eric Blake <ebl...@redhat.com> > Signed-off-by: Hannes Reinecke <h...@suse.de> > --- > hw/core/qdev-properties.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c > index dc8ae69..5a94c04 100644 > --- a/hw/core/qdev-properties.c > +++ b/hw/core/qdev-properties.c > @@ -198,7 +198,10 @@ static int parse_hex8(DeviceState *dev, Property *prop, > const char *str) > return -EINVAL; > } > > + errno = 0; > *ptr = strtoul(str, &end, 16); > + if (errno) > + return -errno; > if ((*end != '\0') || (end == str)) { > return -EINVAL; > }
Still incomplete. You still have silent overflows. Consider a string of "0x100". strtoul() does not set errno, but *ptr is set to 0 because 0x100 is bigger than a uint8_t. You HAVE to parse the results into an unsigned long, then manually check that the resulting unsigned long value does not overflow *ptr. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature