@@ -351,21 +351,28 @@ static void xen_block_get_vdev(Object *obj, Visitor *v, const char *name,
g_free(str);
}
-static unsigned int vbd_name_to_disk(const char *name, const char **endp)
+static int vbd_name_to_disk(const char *name, const char **endp,
+ unsigned long *disk)
{
- unsigned int disk = 0;
+ unsigned int n = 0;
while (*name != '\0') {
if (!g_ascii_isalpha(*name) || !g_ascii_islower(*name)) {
break;
}
- disk *= 26;
- disk += *name++ - 'a' + 1;
+ n *= 26;
+ n += *name++ - 'a' + 1;
}
*endp = name;
- return disk - 1;
+ if (!n) {
+ return -1;
+ }
+
+ *disk = n - 1;
+
+ return 0;
}
static void xen_block_set_vdev(Object *obj, Visitor *v, const char *name,
@@ -418,7 +425,9 @@ static void xen_block_set_vdev(Object *obj, Visitor *v, const char *name,
}
}
} else {
- vdev->disk = vbd_name_to_disk(p, &end);
+ if (vbd_name_to_disk(p, &end, &vdev->disk)) {
+ goto invalid;
+ }
}
if (*end != '\0') {
The function needs to make sure it is passed a valid disk name. This is easily done by making sure that the parsing loop results in a non-zero value. Spotted by Coverity: CID 1398640 Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Paul Durrant <paul.durrant@citrix.com> --- Cc: Stefano Stabellini <sstabellini@kernel.org> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Kevin Wolf <kwolf@redhat.com> Cc: Max Reitz <mreitz@redhat.com> --- hw/block/xen-block.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-)