cutils: tighten qemu_parse_fd()

qemu_parse_fd() used to handle at least the following strings incorrectly:
o "-2":         simply let through
o "2147483648": returned as LONG_MAX==INT_MAX on ILP32 (with ERANGE
                ignored); implementation-defined behavior on LP64

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

diff --git a/util/cutils.c b/util/cutils.c
index b3372932390564e5f665e39c6ea09dc0a3dfbef8..dbe7412bd88c2e63c519e7563629fd500cb0892c 100644 (file)
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -24,6 +24,8 @@
 #include "qemu-common.h"
 #include "qemu/host-utils.h"
 #include <math.h>
+#include <limits.h>
+#include <errno.h>
 
 #include "qemu/sockets.h"
 #include "qemu/iov.h"
@@ -457,11 +459,16 @@ int parse_uint_full(const char *s, unsigned long long *value, int base)
 
 int qemu_parse_fd(const char *param)
 {
-    int fd;
-    char *endptr = NULL;
+    long fd;
+    char *endptr;
 
+    errno = 0;
     fd = strtol(param, &endptr, 10);
-    if (*endptr || (fd == 0 && param == endptr)) {
+    if (param == endptr /* no conversion performed */                    ||
+        errno != 0      /* not representable as long; possibly others */ ||
+        *endptr != '\0' /* final string not empty */                     ||
+        fd < 0          /* invalid as file descriptor */                 ||
+        fd > INT_MAX    /* not representable as int */) {
         return -1;
     }
     return fd;