The function needs to make sure it is passed a valid disk name. This is
easily done by making sure that the parsing loop results in a non-zero
value.
Spotted by Coverity: CID 1398640
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
---
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Kevin Wolf <kwolf@redhat.com>
Cc: Max Reitz <mreitz@redhat.com>
---
hw/block/xen-block.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
index 29afe2703a..37a456c207 100644
--- a/hw/block/xen-block.c
+++ b/hw/block/xen-block.c
@@ -351,21 +351,28 @@ static void xen_block_get_vdev(Object *obj, Visitor *v, const char *name,
g_free(str);
}
-static unsigned int vbd_name_to_disk(const char *name, const char **endp)
+static int vbd_name_to_disk(const char *name, const char **endp,
+ unsigned long *disk)
{
- unsigned int disk = 0;
+ unsigned int n = 0;
while (*name != '\0') {
if (!g_ascii_isalpha(*name) || !g_ascii_islower(*name)) {
break;
}
- disk *= 26;
- disk += *name++ - 'a' + 1;
+ n *= 26;
+ n += *name++ - 'a' + 1;
}
*endp = name;
- return disk - 1;
+ if (!n) {
+ return -1;
+ }
+
+ *disk = n - 1;
+
+ return 0;
}
static void xen_block_set_vdev(Object *obj, Visitor *v, const char *name,
@@ -418,7 +425,9 @@ static void xen_block_set_vdev(Object *obj, Visitor *v, const char *name,
}
}
} else {
- vdev->disk = vbd_name_to_disk(p, &end);
+ if (vbd_name_to_disk(p, &end, &vdev->disk)) {
+ goto invalid;
+ }
}
if (*end != '\0') {
--
2.20.1.2.gb21ebb6