[Libvir] diagnose invalid domain ID numbers (and invalid integers, in general)

Jim Meyering jim at meyering.net
Fri Nov 9 09:05:44 UTC 2007 

Hello,

There are over 30 uses of strtol in libvirt, and they all can silently
accept invalid input.  The invalid string might range from an outlandish
domain ID like 4294967298 to strings of digits followed by bogus alpha.
Maybe not worth worrying about, you say?  But what if they indicate user
confusion, e.g., 1,000 vs 1000?  Silently interpreting "1,000" as "1"
would leave the poor user even more confused :-)  IMHO, they should all
be diagnosed.

Fixing them properly requires some infrastructure,
so that you don't end up duplicating too much logic.

This patch adds part of that infrastructure and fixes only a single
instance, to start with.  I'll fix the others once we're all agreed
on the form of the infrastructure.  I've fixed the bug that would make
this command:

    echo domname $(echo 2^32+2|bc)|src/virsh ...

act just like this one:

    echo domname 2|src/virsh ...

Now, it does this:

    $ echo domname 4294967298|src/virsh --quiet --connect test://$PWD/docs/testnode.xml
    virsh > error: failed to get domain '4294967298'
    virsh >

The new test script, tests/int-overflow demonstrates
precisely that before/after behavior.

This change adds some other new files.
src/xstrtol.c and .h contain the first of a few new
strtol-like functions.  This first one, xstrtol_i,
converts to an "int".  Other wrappers will convert to wider types.
The goal is to put the tedious tests into the wrappers so that
applications can be robust without all the duplicated gore.

It is important (from type-safety and maintainability standpoints) to
ensure that the resulting integral value be "returned" via an argument
pointer, not a return value.  With the former, you're guaranteed to have
matching types.  Simply getting the value via "return", it is too easy
to mistakenly change width or signedness.

Here's the new function's description and signature:

  /* Like strtol, but produce an "int" result, and check more carefully.
     Return 0 upon success;  return -1 to indicate failure.
     When END_PTR is NULL, the byte after the final valid digit must be NUL.
     Otherwise, it's like strtol and lets the caller check any suffix for
     validity.  This function is careful to return -1 when the string S
     represents a number that is not representable as an "int". */
  int xstrtol_i(char const *s, char **end_ptr, int base, int *result)

My first attempt put the definition of xstrtol_i in
the logical place: util.c.  But that would have required linking
virsh with util.c, and that fails due to an unsatisfied reference
to __virRaiseError.  So instead, it's in its own file, now.
If you want it in some other file, just tell me where.

BTW, I have no strong preference for the name xstrtol_i.  Bear in mind
that the name tells you that it's based on (and limited to) strtol's
"long" type, and produces an 'i'nt value.  It happens to be the same one
used in at least one other project, and closely resembles the xstrto*
functions in gnulib.  Note that there are almost certainly places in the
code where we'll want to use a variant that targets an unsigned type like
"size_t" or a wider type like long long.  In addition to other uses of
strtol that I plan to fix, there are three uses of strtoll, too.

Patch attached below.
If you apply it with plain-old-patch, remember to run this:

chmod a+x tests/int-overflow

Thu Nov  8 09:59:43 CET 2007 Jim Meyering  <meyering at redhat.com>

	Diagnose an invalid domain ID number.

	* src/virsh.c: Include "xstrtol.h"
	(vshCommandOptDomainBy): Detect integer overflow in domain ID number.
	* tests/int-overflow: New script. Test for the above-fixed bug.
	* tests/Makefile.am (TESTS): Add int-overflow.
	(TESTS_ENVIRONMENT): Define, to propagate $abs_top_* variables
	into the int-overflow script.
	(valgrind): Adapt rule not to clobber new TESTS_ENVIRONMENT.
	* src/xstrtol.h, src/xstrtol.c: New files.
	* src/Makefile.am (virsh_SOURCES): Add xstrtol.c and xstrtol.h.

---
 src/Makefile.am    |    2 +-
 src/virsh.c        |   10 ++++------
 src/xstrtol.c      |   33 +++++++++++++++++++++++++++++++++
 src/xstrtol.h      |    7 +++++++
 tests/Makefile.am  |   10 ++++++++--
 tests/int-overflow |   22 ++++++++++++++++++++++
 6 files changed, 75 insertions(+), 9 deletions(-)
 create mode 100644 src/xstrtol.c
 create mode 100644 src/xstrtol.h
 create mode 100755 tests/int-overflow

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: libvirt-invalid-domain-ID
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20071109/a9a0b120/attachment-0001.ksh>

More information about the libvir-list mailing list