From nobody Wed Feb 11 08:38:20 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1517334254913258.1515608274357; Tue, 30 Jan 2018 09:44:14 -0800 (PST) Received: from localhost ([::1]:51152 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1egZwz-0002vB-LH for importer@patchew.org; Tue, 30 Jan 2018 12:44:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52330) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1egZt0-0008Jv-UC for qemu-devel@nongnu.org; Tue, 30 Jan 2018 12:40:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1egZsv-0004IA-PR for qemu-devel@nongnu.org; Tue, 30 Jan 2018 12:39:58 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52432) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1egZsv-0004EC-Er for qemu-devel@nongnu.org; Tue, 30 Jan 2018 12:39:53 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0UHddel061863 for ; Tue, 30 Jan 2018 12:39:51 -0500 Received: from e06smtp14.uk.ibm.com (e06smtp14.uk.ibm.com [195.75.94.110]) by mx0a-001b2d01.pphosted.com with ESMTP id 2fttpbgssa-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 30 Jan 2018 12:39:49 -0500 Received: from localhost by e06smtp14.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 30 Jan 2018 17:39:45 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp14.uk.ibm.com (192.168.101.144) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 30 Jan 2018 17:39:42 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0UHdgEd25034894; Tue, 30 Jan 2018 17:39:42 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BE81411C058; Tue, 30 Jan 2018 17:33:12 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD33611C052; Tue, 30 Jan 2018 17:33:12 +0000 (GMT) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2018 17:33:12 +0000 (GMT) Received: from bahia.lab.toulouse-stg.fr.ibm.com (bahia.lab.toulouse-stg.fr.ibm.com [9.101.4.41]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id EE217220499; Tue, 30 Jan 2018 18:39:40 +0100 (CET) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 30 Jan 2018 18:39:35 +0100 X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180130173935.5172-1-groug@kaod.org> References: <20180130173935.5172-1-groug@kaod.org> X-TM-AS-GCONF: 00 x-cbid: 18013017-0016-0000-0000-0000051D8951 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18013017-0017-0000-0000-0000285A2682 Message-Id: <20180130173935.5172-11-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-30_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801300218 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PULL 10/10] tests/virtio-9p: explicitly handle potential integer overflows X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Greg Kurz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Greg Kurz Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi --- tests/virtio-9p-test.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/tests/virtio-9p-test.c b/tests/virtio-9p-test.c index 41fa492cb778..f4824fa33b87 100644 --- a/tests/virtio-9p-test.c +++ b/tests/virtio-9p-test.c @@ -168,7 +168,7 @@ static uint16_t v9fs_string_size(const char *string) { size_t len =3D strlen(string); =20 - g_assert_cmpint(len, <=3D, UINT16_MAX); + g_assert_cmpint(len, <=3D, UINT16_MAX - 2); =20 return 2 + len; } @@ -209,17 +209,20 @@ static P9Req *v9fs_req_init(QVirtIO9P *v9p, uint32_t = size, uint8_t id, uint16_t tag) { P9Req *req =3D g_new0(P9Req, 1); - uint32_t t_size =3D 7 + size; /* 9P header has well-known size of 7 by= tes */ + uint32_t total_size =3D 7; /* 9P header has well-known size of 7 bytes= */ P9Hdr hdr =3D { - .size =3D cpu_to_le32(t_size), .id =3D id, .tag =3D cpu_to_le16(tag) }; =20 - g_assert_cmpint(t_size, <=3D, P9_MAX_SIZE); + g_assert_cmpint(total_size, <=3D, UINT32_MAX - size); + total_size +=3D size; + hdr.size =3D cpu_to_le32(total_size); + + g_assert_cmpint(total_size, <=3D, P9_MAX_SIZE); =20 req->v9p =3D v9p; - req->t_size =3D t_size; + req->t_size =3D total_size; req->t_msg =3D guest_alloc(v9p->qs->alloc, req->t_size); v9fs_memwrite(req, &hdr, 7); req->tag =3D tag; @@ -305,8 +308,13 @@ static void v9fs_rlerror(P9Req *req, uint32_t *err) static P9Req *v9fs_tversion(QVirtIO9P *v9p, uint32_t msize, const char *ve= rsion, uint16_t tag) { - P9Req *req =3D v9fs_req_init(v9p, 4 + v9fs_string_size(version), P9_TV= ERSION, - tag); + P9Req *req; + uint32_t body_size =3D 4; + uint16_t string_size =3D v9fs_string_size(version); + + g_assert_cmpint(body_size, <=3D, UINT32_MAX - string_size); + body_size +=3D string_size; + req =3D v9fs_req_init(v9p, body_size, P9_TVERSION, tag); =20 v9fs_uint32_write(req, msize); v9fs_string_write(req, version); @@ -366,12 +374,15 @@ static P9Req *v9fs_twalk(QVirtIO9P *v9p, uint32_t fid= , uint32_t newfid, { P9Req *req; int i; - uint32_t size =3D 4 + 4 + 2; + uint32_t body_size =3D 4 + 4 + 2; =20 for (i =3D 0; i < nwname; i++) { - size +=3D v9fs_string_size(wnames[i]); + uint16_t wname_size =3D v9fs_string_size(wnames[i]); + + g_assert_cmpint(body_size, <=3D, UINT32_MAX - wname_size); + body_size +=3D wname_size; } - req =3D v9fs_req_init(v9p, size, P9_TWALK, tag); + req =3D v9fs_req_init(v9p, body_size, P9_TWALK, tag); v9fs_uint32_write(req, fid); v9fs_uint32_write(req, newfid); v9fs_uint16_write(req, nwname); --=20 2.13.6