qemu_parse_fd() used to handle at least the following strings incorrectly:
o "-2": simply let through
o "2147483648": returned as LONG_MAX==INT_MAX on ILP32 (with ERANGE
ignored); implementation-defined behavior on LP64
Signed-off-by: Laszlo Ersek <[email protected]>
---
util/cutils.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/util/cutils.c b/util/cutils.c
index b337293..dbe7412 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -22,10 +22,12 @@
* THE SOFTWARE.
*/
#include "qemu-common.h"
#include "qemu/host-utils.h"
#include <math.h>
+#include <limits.h>
+#include <errno.h>
#include "qemu/sockets.h"
#include "qemu/iov.h"
#include "net/net.h"
@@ -455,15 +457,20 @@ int parse_uint_full(const char *s, unsigned long long
*value, int base)
return 0;
}
int qemu_parse_fd(const char *param)
{
- int fd;
- char *endptr = NULL;
+ long fd;
+ char *endptr;
+ errno = 0;
fd = strtol(param, &endptr, 10);
- if (*endptr || (fd == 0 && param == endptr)) {
+ if (param == endptr /* no conversion performed */ ||
+ errno != 0 /* not representable as long; possibly others */ ||
+ *endptr != '\0' /* final string not empty */ ||
+ fd < 0 /* invalid as file descriptor */ ||
+ fd > INT_MAX /* not representable as int */) {
return -1;
}
return fd;
}
--
1.8.3.1
