[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/2] qdev: factor out qdev_print_devinfo.
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH 1/2] qdev: factor out qdev_print_devinfo. |
Date: |
Mon, 03 Aug 2009 10:24:44 +0200 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.3 (gnu/linux) |
Gerd Hoffmann <address@hidden> writes:
> On 08/01/09 01:44, Markus Armbruster wrote:
>> Gerd Hoffmann<address@hidden> writes:
>>
>>> Signed-off-by: Gerd Hoffmann<address@hidden>
>>> ---
>>> hw/qdev.c | 19 ++++++++++++++++++-
>>> 1 files changed, 18 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/hw/qdev.c b/hw/qdev.c
>>> index 479eb72..6f05232 100644
>>> --- a/hw/qdev.c
>>> +++ b/hw/qdev.c
>>> @@ -105,6 +105,21 @@ DeviceState *qdev_create(BusState *bus, const char
>>> *name)
>>> return dev;
>>> }
>>>
>>> +static int qdev_print_devinfo(DeviceInfo *info, char *dest, int len)
>>> +{
>>> + int pos = 0;
>>> +
>>> + pos += snprintf(dest+pos, len-pos, "name \"%s\", bus %s",
>>> + info->name, info->bus_info->name);
>>> + if (info->alias)
>>> + pos += snprintf(dest+pos, len-pos, ", alias \"%s\"", info->alias);
>>> + if (info->desc)
>>> + pos += snprintf(dest+pos, len-pos, ", desc \"%s\"", info->desc);
>>> + if (info->no_user)
>>> + pos += snprintf(dest+pos, len-pos, ", no-user");
>>> + return pos;
>>> +}
>>> +
>>
>> Isn't len-pos vulnerable to underflow here? The formal parameter type
>> is size_t...
>>
>> [...]
>
> Huh? You mean you want be able to pass a buffer larger than 2^31 to
> that function?
>
> cheers
> Gerd
snprintf() returns length of output. This may exceed its buffer size
argument. Therefore, pos can grow beyond len, and then len-pos becomes
negative. Parameter passing casts that to size_t, and snprintf()
happily writes beyond the buffer.