qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/2] qdev: factor out qdev_print_devinfo.

From: Markus Armbruster
Subject: Re: [Qemu-devel] [PATCH 1/2] qdev: factor out qdev_print_devinfo.
Date: Mon, 03 Aug 2009 10:24:44 +0200
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (gnu/linux) 
Gerd Hoffmann <address@hidden> writes:

> On 08/01/09 01:44, Markus Armbruster wrote:
>> Gerd Hoffmann<address@hidden>  writes:
>>
>>> Signed-off-by: Gerd Hoffmann<address@hidden>
>>> ---
>>>   hw/qdev.c |   19 ++++++++++++++++++-
>>>   1 files changed, 18 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/hw/qdev.c b/hw/qdev.c
>>> index 479eb72..6f05232 100644
>>> --- a/hw/qdev.c
>>> +++ b/hw/qdev.c
>>> @@ -105,6 +105,21 @@ DeviceState *qdev_create(BusState *bus, const char 
>>> *name)
>>>       return dev;
>>>   }
>>>
>>> +static int qdev_print_devinfo(DeviceInfo *info, char *dest, int len)
>>> +{
>>> +    int pos = 0;
>>> +
>>> +    pos += snprintf(dest+pos, len-pos, "name \"%s\", bus %s",
>>> +                    info->name, info->bus_info->name);
>>> +    if (info->alias)
>>> +        pos += snprintf(dest+pos, len-pos, ", alias \"%s\"", info->alias);
>>> +    if (info->desc)
>>> +        pos += snprintf(dest+pos, len-pos, ", desc \"%s\"", info->desc);
>>> +    if (info->no_user)
>>> +        pos += snprintf(dest+pos, len-pos, ", no-user");
>>> +    return pos;
>>> +}
>>> +
>>
>> Isn't len-pos vulnerable to underflow here?  The formal parameter type
>> is size_t...
>>
>> [...]
>
> Huh?  You mean you want be able to pass a buffer larger than 2^31 to
> that function?
>
> cheers
>   Gerd

snprintf() returns length of output.  This may exceed its buffer size
argument.  Therefore, pos can grow beyond len, and then len-pos becomes
negative.  Parameter passing casts that to size_t, and snprintf()
happily writes beyond the buffer.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]