diff options
author | Greg Kurz <groug@kaod.org> | 2018-02-01 21:21:28 +0100 |
---|---|---|
committer | Greg Kurz <groug@kaod.org> | 2018-02-02 11:15:34 +0100 |
commit | 9ea776ee7d4061c043d0fbf89aa85f86ec0cf8a2 (patch) | |
tree | 35067ba6ad0a0292dfa6af18c2e0111e340792f6 /tests/virtio-9p-test.c | |
parent | 357e2f7f4e4dc68f01d5b81f5cd669874314e14a (diff) | |
download | qemu-9ea776ee7d4061c043d0fbf89aa85f86ec0cf8a2.zip qemu-9ea776ee7d4061c043d0fbf89aa85f86ec0cf8a2.tar.gz qemu-9ea776ee7d4061c043d0fbf89aa85f86ec0cf8a2.tar.bz2 |
tests/virtio-9p: explicitly handle potential integer overflows
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'tests/virtio-9p-test.c')
-rw-r--r-- | tests/virtio-9p-test.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/tests/virtio-9p-test.c b/tests/virtio-9p-test.c index 0d3334a..54edcb9 100644 --- a/tests/virtio-9p-test.c +++ b/tests/virtio-9p-test.c @@ -168,7 +168,7 @@ static uint16_t v9fs_string_size(const char *string) { size_t len = strlen(string); - g_assert_cmpint(len, <=, UINT16_MAX); + g_assert_cmpint(len, <=, UINT16_MAX - 2); return 2 + len; } @@ -209,17 +209,20 @@ static P9Req *v9fs_req_init(QVirtIO9P *v9p, uint32_t size, uint8_t id, uint16_t tag) { P9Req *req = g_new0(P9Req, 1); - uint32_t t_size = 7 + size; /* 9P header has well-known size of 7 bytes */ + uint32_t total_size = 7; /* 9P header has well-known size of 7 bytes */ P9Hdr hdr = { - .size = cpu_to_le32(t_size), .id = id, .tag = cpu_to_le16(tag) }; - g_assert_cmpint(t_size, <=, P9_MAX_SIZE); + g_assert_cmpint(total_size, <=, UINT32_MAX - size); + total_size += size; + hdr.size = cpu_to_le32(total_size); + + g_assert_cmpint(total_size, <=, P9_MAX_SIZE); req->v9p = v9p; - req->t_size = t_size; + req->t_size = total_size; req->t_msg = guest_alloc(v9p->qs->alloc, req->t_size); v9fs_memwrite(req, &hdr, 7); req->tag = tag; @@ -305,8 +308,13 @@ static void v9fs_rlerror(P9Req *req, uint32_t *err) static P9Req *v9fs_tversion(QVirtIO9P *v9p, uint32_t msize, const char *version, uint16_t tag) { - P9Req *req = v9fs_req_init(v9p, 4 + v9fs_string_size(version), P9_TVERSION, - tag); + P9Req *req; + uint32_t body_size = 4; + uint16_t string_size = v9fs_string_size(version); + + g_assert_cmpint(body_size, <=, UINT32_MAX - string_size); + body_size += string_size; + req = v9fs_req_init(v9p, body_size, P9_TVERSION, tag); v9fs_uint32_write(req, msize); v9fs_string_write(req, version); @@ -366,12 +374,15 @@ static P9Req *v9fs_twalk(QVirtIO9P *v9p, uint32_t fid, uint32_t newfid, { P9Req *req; int i; - uint32_t size = 4 + 4 + 2; + uint32_t body_size = 4 + 4 + 2; for (i = 0; i < nwname; i++) { - size += v9fs_string_size(wnames[i]); + uint16_t wname_size = v9fs_string_size(wnames[i]); + + g_assert_cmpint(body_size, <=, UINT32_MAX - wname_size); + body_size += wname_size; } - req = v9fs_req_init(v9p, size, P9_TWALK, tag); + req = v9fs_req_init(v9p, body_size, P9_TWALK, tag); v9fs_uint32_write(req, fid); v9fs_uint32_write(req, newfid); v9fs_uint16_write(req, nwname); |