From nobody Sat May 4 06:01:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1517301260746555.9934951181175; Tue, 30 Jan 2018 00:34:20 -0800 (PST) Received: from localhost ([::1]:49557 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1egRMw-0006b3-DY for importer@patchew.org; Tue, 30 Jan 2018 03:34:18 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35676) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1egRLk-0006Bn-Jo for qemu-devel@nongnu.org; Tue, 30 Jan 2018 03:33:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1egRLf-00078L-OG for qemu-devel@nongnu.org; Tue, 30 Jan 2018 03:33:04 -0500 Received: from 15.mo4.mail-out.ovh.net ([91.121.62.11]:40426) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1egRLf-00076T-Gp for qemu-devel@nongnu.org; Tue, 30 Jan 2018 03:32:59 -0500 Received: from player798.ha.ovh.net (b7.ovh.net [213.186.33.57]) by mo4.mail-out.ovh.net (Postfix) with ESMTP id E1EA91450DF for ; Tue, 30 Jan 2018 09:32:57 +0100 (CET) Received: from bahia.lan (lns-bzn-46-82-253-208-248.adsl.proxad.net [82.253.208.248]) (Authenticated sender: groug@kaod.org) by player798.ha.ovh.net (Postfix) with ESMTPA id F12D6540097; Tue, 30 Jan 2018 09:32:54 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 30 Jan 2018 09:32:48 +0100 Message-ID: <151730107324.755.12264321256439401751.stgit@bahia.lan> User-Agent: StGit/0.17.1-46-g6855-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Ovh-Tracer-Id: 3294664606291040576 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtvddrvdekgdduvdefucdltddurdegtddurddttddmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 91.121.62.11 Subject: [Qemu-devel] [PATCH] tests/virtio-9p: explicitely handle potential integer overflows X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Signed-off-by: Greg Kurz Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi --- tests/virtio-9p-test.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) This is based on SHA1 2eab02aa260ac5405e1e51c9cc1b4c3aa23fc45a from my 9p-next branch: https://github.com/gkurz/qemu/commits/9p-next diff --git a/tests/virtio-9p-test.c b/tests/virtio-9p-test.c index 41fa492cb778..f4824fa33b87 100644 --- a/tests/virtio-9p-test.c +++ b/tests/virtio-9p-test.c @@ -168,7 +168,7 @@ static uint16_t v9fs_string_size(const char *string) { size_t len =3D strlen(string); =20 - g_assert_cmpint(len, <=3D, UINT16_MAX); + g_assert_cmpint(len, <=3D, UINT16_MAX - 2); =20 return 2 + len; } @@ -209,17 +209,20 @@ static P9Req *v9fs_req_init(QVirtIO9P *v9p, uint32_t = size, uint8_t id, uint16_t tag) { P9Req *req =3D g_new0(P9Req, 1); - uint32_t t_size =3D 7 + size; /* 9P header has well-known size of 7 by= tes */ + uint32_t total_size =3D 7; /* 9P header has well-known size of 7 bytes= */ P9Hdr hdr =3D { - .size =3D cpu_to_le32(t_size), .id =3D id, .tag =3D cpu_to_le16(tag) }; =20 - g_assert_cmpint(t_size, <=3D, P9_MAX_SIZE); + g_assert_cmpint(total_size, <=3D, UINT32_MAX - size); + total_size +=3D size; + hdr.size =3D cpu_to_le32(total_size); + + g_assert_cmpint(total_size, <=3D, P9_MAX_SIZE); =20 req->v9p =3D v9p; - req->t_size =3D t_size; + req->t_size =3D total_size; req->t_msg =3D guest_alloc(v9p->qs->alloc, req->t_size); v9fs_memwrite(req, &hdr, 7); req->tag =3D tag; @@ -305,8 +308,13 @@ static void v9fs_rlerror(P9Req *req, uint32_t *err) static P9Req *v9fs_tversion(QVirtIO9P *v9p, uint32_t msize, const char *ve= rsion, uint16_t tag) { - P9Req *req =3D v9fs_req_init(v9p, 4 + v9fs_string_size(version), P9_TV= ERSION, - tag); + P9Req *req; + uint32_t body_size =3D 4; + uint16_t string_size =3D v9fs_string_size(version); + + g_assert_cmpint(body_size, <=3D, UINT32_MAX - string_size); + body_size +=3D string_size; + req =3D v9fs_req_init(v9p, body_size, P9_TVERSION, tag); =20 v9fs_uint32_write(req, msize); v9fs_string_write(req, version); @@ -366,12 +374,15 @@ static P9Req *v9fs_twalk(QVirtIO9P *v9p, uint32_t fid= , uint32_t newfid, { P9Req *req; int i; - uint32_t size =3D 4 + 4 + 2; + uint32_t body_size =3D 4 + 4 + 2; =20 for (i =3D 0; i < nwname; i++) { - size +=3D v9fs_string_size(wnames[i]); + uint16_t wname_size =3D v9fs_string_size(wnames[i]); + + g_assert_cmpint(body_size, <=3D, UINT32_MAX - wname_size); + body_size +=3D wname_size; } - req =3D v9fs_req_init(v9p, size, P9_TWALK, tag); + req =3D v9fs_req_init(v9p, body_size, P9_TWALK, tag); v9fs_uint32_write(req, fid); v9fs_uint32_write(req, newfid); v9fs_uint16_write(req, nwname);