From: Jincheng Miao Date: Fri, 12 Jul 2013 12:17:23 +0000 (+0200) Subject: Change domain controller index type to unsigned X-Git-Tag: CVE-2013-4154~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=945b18eb7d449217de1a3ce349d31eb43c39cf3e;p=thirdparty%2Flibvirt.git Change domain controller index type to unsigned Error out on negative index values. https://bugzilla.redhat.com/show_bug.cgi?id=981261 --- diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 1c4cb33d10..5f0366e426 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2653,7 +2653,7 @@ virDomainDefRejectDuplicateControllers(virDomainDefPtr def) for (i = 0; i < def->ncontrollers; i++) { cont = def->controllers[i]; - if (cont->idx > max_idx[cont->type]) + if ((int) cont->idx > max_idx[cont->type]) max_idx[cont->type] = cont->idx; } @@ -5567,7 +5567,8 @@ virDomainControllerDefParseXML(xmlNodePtr node, idx = virXMLPropString(node, "index"); if (idx) { - if (virStrToLong_i(idx, NULL, 10, &def->idx) < 0) { + if (virStrToLong_ui(idx, NULL, 10, &def->idx) < 0 || + def->idx > INT_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot parse controller index %s"), idx); goto error; @@ -14381,7 +14382,7 @@ virDomainControllerDefFormat(virBufferPtr buf, } virBufferAsprintf(buf, - " idx); if (model) { diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 9c563fe10f..ef72d24830 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -790,7 +790,7 @@ struct _virDomainVirtioSerialOpts { /* Stores the virtual disk controller configuration */ struct _virDomainControllerDef { int type; - int idx; + unsigned int idx; int model; /* -1 == undef */ unsigned int queues; union { diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 879aed81a3..0e517f21a7 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1573,7 +1573,7 @@ qemuDomainAssignPCIAddresses(virDomainDefPtr def, for (i = 0; i < def->ncontrollers; i++) { if (def->controllers[i]->type == VIR_DOMAIN_CONTROLLER_TYPE_PCI) { - if (def->controllers[i]->idx > max_idx) + if ((int) def->controllers[i]->idx > max_idx) max_idx = def->controllers[i]->idx; } } diff --git a/src/vmx/vmx.c b/src/vmx/vmx.c index 48b7f1d2f3..28a6f103b2 100644 --- a/src/vmx/vmx.c +++ b/src/vmx/vmx.c @@ -1653,8 +1653,7 @@ virVMXParseConfig(virVMXContext *ctx, for (controller = 0; controller < def->ncontrollers; ++controller) { if (def->controllers[controller]->type == VIR_DOMAIN_CONTROLLER_TYPE_SCSI) { - if (def->controllers[controller]->idx < 0 || - def->controllers[controller]->idx > 3) { + if (def->controllers[controller]->idx > 3) { virReportError(VIR_ERR_INTERNAL_ERROR, _("SCSI controller index %d out of [0..3] range"), def->controllers[controller]->idx); diff --git a/tests/qemuxml2argvdata/qemuxml2argv-pci-bridge-negative-index-invalid.xml b/tests/qemuxml2argvdata/qemuxml2argv-pci-bridge-negative-index-invalid.xml new file mode 100644 index 0000000000..be3d8f22e1 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-pci-bridge-negative-index-invalid.xml @@ -0,0 +1,15 @@ + + fdr-br + 2097152 + 2097152 + 2 + + hvm + + + + /usr/libexec/qemu-kvm + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index d0d9cad92d..7d7332f8e3 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1015,6 +1015,9 @@ mymain(void) DO_TEST("mlock-off", QEMU_CAPS_MLOCK); DO_TEST("mlock-unsupported", NONE); + DO_TEST_PARSE_ERROR("pci-bridge-negative-index-invalid", + QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_PCI_BRIDGE); + virObjectUnref(driver.config); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt);