On 02.03.2016 17:24, Jeff Cody wrote: > The function qemu_strtoul() reads 'unsigned long' sized data, > which is larger than uint32_t on 64-bit machines. > > Even though the snap_id field in the header is 32-bits, we must > accomodate the full size in qemu_strtoul(). > > This patch also adds more meaningful error handling to the > qemu_strtoul() call, and subsequent results. > > Reported-by: Paolo Bonzini <pbonz...@redhat.com> > Signed-off-by: Jeff Cody <jc...@redhat.com> > --- > block/sheepdog.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/block/sheepdog.c b/block/sheepdog.c > index 8739acc..87f0027 100644 > --- a/block/sheepdog.c > +++ b/block/sheepdog.c > @@ -2543,7 +2543,7 @@ static int sd_snapshot_delete(BlockDriverState *bs, > const char *name, > Error **errp) > { > - uint32_t snap_id = 0; > + unsigned long snap_id = 0; > char snap_tag[SD_MAX_VDI_TAG_LEN]; > Error *local_err = NULL; > int fd, ret; > @@ -2565,12 +2565,15 @@ static int sd_snapshot_delete(BlockDriverState *bs, > memset(buf, 0, sizeof(buf)); > memset(snap_tag, 0, sizeof(snap_tag)); > pstrcpy(buf, SD_MAX_VDI_LEN, s->name); > - if (qemu_strtoul(snapshot_id, NULL, 10, (unsigned long *)&snap_id)) { > - return -1; > + ret = qemu_strtoul(snapshot_id, NULL, 10, &snap_id); > + if (ret || snap_id > UINT32_MAX) { > + error_setg(errp, "Invalid snapshot ID: %s", > + snapshot_id ? snapshot_id : "<null>"); > + return -EINVAL; > } > > if (snap_id) { > - hdr.snapid = snap_id; > + hdr.snapid = (uint32_t) snap_id;
BTW, not so sure why you are doing an explicit cast to uint32_t here but not in the call to find_vdi_name() below. But I'll spare you a v4 :-) Reviewed-by: Max Reitz <mre...@redhat.com> > } else { > pstrcpy(snap_tag, sizeof(snap_tag), snapshot_id); > pstrcpy(buf + SD_MAX_VDI_LEN, SD_MAX_VDI_TAG_LEN, snap_tag); >
signature.asc
Description: OpenPGP digital signature