From 0fd53c7fe44edd58a6586c01643e4a95df26e6cd Mon Sep 17 00:00:00 2001
From: Christian Prochaska <christian.prochaska@genode-labs.com>
Date: Fri, 27 Mar 2015 14:02:04 +0100
Subject: [PATCH] Extract numeric string arguments with the correct signedness

There are lots of places where a numeric argument of an argument string
gets extraced as signed long value and then assigned to an unsigned long
variable. If the value in the string was negative, it would not be
detected as invalid (and replaced by the default value), but become a
positive bogus value.

With this patch, numeric values which are supposed to be unsigned get
extracted with the 'ulong_value()' function, which returns the default
value for negative numbers.

Fixes #1472
---
 repos/base-hw/src/core/include/signal_root.h               | 4 ++--
 repos/base-hw/src/core/include/vm_root.h                   | 2 +-
 repos/base/include/root/component.h                        | 2 +-
 repos/base/src/base/child/child.cc                         | 2 +-
 repos/base/src/core/cpu_session_component.cc               | 2 +-
 repos/base/src/core/include/cpu_root.h                     | 4 ++--
 repos/base/src/core/include/ram_root.h                     | 2 +-
 repos/base/src/core/include/rm_root.h                      | 4 ++--
 repos/base/src/core/include/signal_root.h                  | 4 ++--
 repos/base/src/core/include/trace/root.h                   | 4 ++--
 repos/base/src/core/ram_session_component.cc               | 6 +++---
 repos/libports/src/lib/qt5/qpluginwidget/qpluginwidget.cpp | 4 ++--
 repos/os/include/init/child_policy.h                       | 2 +-
 repos/os/src/server/loader/main.cc                         | 2 +-
 repos/os/src/server/log_report/main.cc                     | 2 +-
 repos/os/src/server/nitpicker/main.cc                      | 2 +-
 repos/os/src/server/report_rom/report_service.h            | 2 +-
 repos/ports/src/app/gdb_monitor/app_child.h                | 4 ++--
 18 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/repos/base-hw/src/core/include/signal_root.h b/repos/base-hw/src/core/include/signal_root.h
index 871f1f5d5..e9f948224 100644
--- a/repos/base-hw/src/core/include/signal_root.h
+++ b/repos/base-hw/src/core/include/signal_root.h
@@ -77,7 +77,7 @@ namespace Genode
 			Signal_session_component * _create_session(const char * args)
 			{
 				size_t ram_quota =
-					Arg_string::find_arg(args, "ram_quota").long_value(0);
+					Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				return new (md_alloc())
 					Signal_session_component(md_alloc(), ram_quota);
 			}
@@ -86,7 +86,7 @@ namespace Genode
 			                      const char * args)
 			{
 				size_t ram_quota =
-					Arg_string::find_arg(args, "ram_quota").long_value(0);
+					Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				s->upgrade_ram_quota(ram_quota);
 			}
 	};
diff --git a/repos/base-hw/src/core/include/vm_root.h b/repos/base-hw/src/core/include/vm_root.h
index f49145d4e..09f0551a4 100644
--- a/repos/base-hw/src/core/include/vm_root.h
+++ b/repos/base-hw/src/core/include/vm_root.h
@@ -28,7 +28,7 @@ namespace Genode {
 
 			Vm_session_component *_create_session(const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				return new (md_alloc()) Vm_session_component(ep(), ram_quota);
 			}
 
diff --git a/repos/base/include/root/component.h b/repos/base/include/root/component.h
index 9f66b6ecc..2162f1d20 100644
--- a/repos/base/include/root/component.h
+++ b/repos/base/include/root/component.h
@@ -210,7 +210,7 @@ class Genode::Root_component : public Rpc_object<Typed_root<SESSION_TYPE> >,
 			 * We need to decrease 'ram_quota' by
 			 * the size of the session object.
 			 */
-			size_t ram_quota = Arg_string::find_arg(args.string(), "ram_quota").long_value(0);
+			size_t ram_quota = Arg_string::find_arg(args.string(), "ram_quota").ulong_value(0);
 			size_t needed = sizeof(SESSION_TYPE) + md_alloc()->overhead(sizeof(SESSION_TYPE));
 
 			if (needed > ram_quota) {
diff --git a/repos/base/src/base/child/child.cc b/repos/base/src/base/child/child.cc
index 19d29031e..7478a767e 100644
--- a/repos/base/src/base/child/child.cc
+++ b/repos/base/src/base/child/child.cc
@@ -281,7 +281,7 @@ Session_capability Child::session(Parent::Service_name const &name,
 	Affinity const filtered_affinity = _policy->filter_session_affinity(affinity);
 
 	/* transfer the quota donation from the child's account to ourself */
-	size_t ram_quota = Arg_string::find_arg(_args, "ram_quota").long_value(0);
+	size_t ram_quota = Arg_string::find_arg(_args, "ram_quota").ulong_value(0);
 
 	Transfer donation_from_child(ram_quota, _ram, env()->ram_session_cap());
 
diff --git a/repos/base/src/core/cpu_session_component.cc b/repos/base/src/core/cpu_session_component.cc
index afc355065..c9cfd39a4 100644
--- a/repos/base/src/core/cpu_session_component.cc
+++ b/repos/base/src/core/cpu_session_component.cc
@@ -285,7 +285,7 @@ static size_t remaining_session_ram_quota(char const *args)
 	 * We don't need to consider an underflow here because
 	 * 'Cpu_root::_create_session' already checks for the condition.
 	 */
-	return Arg_string::find_arg(args, "ram_quota").long_value(0)
+	return Arg_string::find_arg(args, "ram_quota").ulong_value(0)
 	     - Trace::Control_area::SIZE;
 }
 
diff --git a/repos/base/src/core/include/cpu_root.h b/repos/base/src/core/include/cpu_root.h
index ca28eca65..46a2c7839 100644
--- a/repos/base/src/core/include/cpu_root.h
+++ b/repos/base/src/core/include/cpu_root.h
@@ -37,7 +37,7 @@ namespace Genode {
 			                                       Affinity const &affinity) {
 
 				size_t ram_quota =
-					Arg_string::find_arg(args, "ram_quota").long_value(0);
+					Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 
 				if (ram_quota < Trace::Control_area::SIZE)
 					throw Root::Quota_exceeded();
@@ -51,7 +51,7 @@ namespace Genode {
 
 			void _upgrade_session(Cpu_session_component *cpu, const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				cpu->upgrade_ram_quota(ram_quota);
 			}
 
diff --git a/repos/base/src/core/include/ram_root.h b/repos/base/src/core/include/ram_root.h
index 3824358e9..fa50fa6ee 100644
--- a/repos/base/src/core/include/ram_root.h
+++ b/repos/base/src/core/include/ram_root.h
@@ -38,7 +38,7 @@ namespace Genode {
 
 			void _upgrade_session(Ram_session_component *ram, const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				ram->upgrade_ram_quota(ram_quota);
 			}
 
diff --git a/repos/base/src/core/include/rm_root.h b/repos/base/src/core/include/rm_root.h
index edb7afc00..242ae725b 100644
--- a/repos/base/src/core/include/rm_root.h
+++ b/repos/base/src/core/include/rm_root.h
@@ -44,7 +44,7 @@ namespace Genode {
 			{
 				addr_t start     = Arg_string::find_arg(args, "start").ulong_value(~0UL);
 				size_t size      = Arg_string::find_arg(args, "size").ulong_value(0);
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 
 				return new (md_alloc())
 				       Rm_session_component(_ds_ep,
@@ -78,7 +78,7 @@ namespace Genode {
 
 			void _upgrade_session(Rm_session_component *rm, const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				rm->upgrade_ram_quota(ram_quota);
 			}
 
diff --git a/repos/base/src/core/include/signal_root.h b/repos/base/src/core/include/signal_root.h
index 064e4dac5..3ee58ca47 100644
--- a/repos/base/src/core/include/signal_root.h
+++ b/repos/base/src/core/include/signal_root.h
@@ -46,7 +46,7 @@ namespace Genode {
 
 			Signal_session_component *_create_session(const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				return new (md_alloc())
 					Signal_session_component(entrypoint(), entrypoint(),
 					                         md_alloc(), ram_quota);
@@ -54,7 +54,7 @@ namespace Genode {
 
 			void _upgrade_session(Signal_session_component *s, const char *args)
 			{
-				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+				size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 				s->upgrade_ram_quota(ram_quota);
 			}
 
diff --git a/repos/base/src/core/include/trace/root.h b/repos/base/src/core/include/trace/root.h
index 0b7c78742..a2e0f179d 100644
--- a/repos/base/src/core/include/trace/root.h
+++ b/repos/base/src/core/include/trace/root.h
@@ -34,7 +34,7 @@ class Genode::Trace::Root : public Genode::Root_component<Session_component>
 
 		Session_component *_create_session(const char *args)
 		{
-			size_t ram_quota       = Arg_string::find_arg(args, "ram_quota").long_value(0);
+			size_t ram_quota       = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 			size_t arg_buffer_size = Arg_string::find_arg(args, "arg_buffer_size").ulong_value(0);
 			unsigned parent_levels = Arg_string::find_arg(args, "parent_levels").ulong_value(0);
 
@@ -51,7 +51,7 @@ class Genode::Trace::Root : public Genode::Root_component<Session_component>
 
 		void _upgrade_session(Session_component *s, const char *args)
 		{
-			size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+			size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 			s->upgrade_ram_quota(ram_quota);
 		}
 
diff --git a/repos/base/src/core/ram_session_component.cc b/repos/base/src/core/ram_session_component.cc
index 13b89e126..a4272cfc5 100644
--- a/repos/base/src/core/ram_session_component.cc
+++ b/repos/base/src/core/ram_session_component.cc
@@ -265,13 +265,13 @@ Ram_session_component::Ram_session_component(Rpc_entrypoint  *ds_ep,
 :
 	_ds_ep(ds_ep), _ram_session_ep(ram_session_ep), _ram_alloc(ram_alloc),
 	_quota_limit(quota_limit), _payload(0),
-	_md_alloc(md_alloc, Arg_string::find_arg(args, "ram_quota").long_value(0)),
+	_md_alloc(md_alloc, Arg_string::find_arg(args, "ram_quota").ulong_value(0)),
 	_ds_slab(&_md_alloc), _ref_account(0),
-	_phys_start(Arg_string::find_arg(args, "phys_start").long_value(0))
+	_phys_start(Arg_string::find_arg(args, "phys_start").ulong_value(0))
 {
 	Arg_string::find_arg(args, "label").string(_label, sizeof(_label), "");
 
-	size_t phys_size = Arg_string::find_arg(args, "phys_size").long_value(0);
+	size_t phys_size = Arg_string::find_arg(args, "phys_size").ulong_value(0);
 	/* sanitize overflow and interpret phys_size==0 as maximum phys address */
 	if (_phys_start + phys_size <= _phys_start)
 		_phys_end = ~0UL;
diff --git a/repos/libports/src/lib/qt5/qpluginwidget/qpluginwidget.cpp b/repos/libports/src/lib/qt5/qpluginwidget/qpluginwidget.cpp
index 5eb6dc6f0..649264e20 100644
--- a/repos/libports/src/lib/qt5/qpluginwidget/qpluginwidget.cpp
+++ b/repos/libports/src/lib/qt5/qpluginwidget/qpluginwidget.cpp
@@ -111,7 +111,7 @@ void PluginStarter::_start_plugin(QString &file_name, QByteArray const &file_buf
 
 		PDBG("file_size_uncompressed = %u", file_size);
 
-		size_t ram_quota = Arg_string::find_arg(_args.constData(), "ram_quota").long_value(0) + file_size;
+		size_t ram_quota = Arg_string::find_arg(_args.constData(), "ram_quota").ulong_value(0) + file_size;
 
 		if ((long)env()->ram_session()->avail() - (long)ram_quota < QPluginWidget::RAM_QUOTA) {
 			PERR("quota exceeded");
@@ -161,7 +161,7 @@ void PluginStarter::_start_plugin(QString &file_name, QByteArray const &file_buf
 			_pc->commit_rom_module(file_name.toUtf8().constData());
 		}
 	} else {
-		size_t ram_quota = Arg_string::find_arg(_args.constData(), "ram_quota").long_value(0);
+		size_t ram_quota = Arg_string::find_arg(_args.constData(), "ram_quota").ulong_value(0);
 
 		if ((long)env()->ram_session()->avail() - (long)ram_quota < QPluginWidget::RAM_QUOTA) {
 			_plugin_loading_state = QUOTA_EXCEEDED_ERROR;
diff --git a/repos/os/include/init/child_policy.h b/repos/os/include/init/child_policy.h
index 42f057c2b..b3608317e 100644
--- a/repos/os/include/init/child_policy.h
+++ b/repos/os/include/init/child_policy.h
@@ -151,7 +151,7 @@ class Init::Child_policy_handle_cpu_priorities
 			if (Genode::strcmp(service, "CPU") || _prio_levels_log2 == 0)
 				return;
 
-			unsigned long priority = Arg_string::find_arg(args, "priority").long_value(0);
+			unsigned long priority = Arg_string::find_arg(args, "priority").ulong_value(0);
 
 			/* clamp priority value to valid range */
 			priority = min((unsigned)Cpu_session::PRIORITY_LIMIT - 1, priority);
diff --git a/repos/os/src/server/loader/main.cc b/repos/os/src/server/loader/main.cc
index e1950106e..d08e03360 100644
--- a/repos/os/src/server/loader/main.cc
+++ b/repos/os/src/server/loader/main.cc
@@ -408,7 +408,7 @@ class Loader::Root : public Root_component<Session_component>
 		Session_component *_create_session(const char *args)
 		{
 			size_t quota =
-				Arg_string::find_arg(args, "ram_quota").long_value(0);
+				Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 
 			return new (md_alloc()) Session_component(quota, _ram, _cap);
 		}
diff --git a/repos/os/src/server/log_report/main.cc b/repos/os/src/server/log_report/main.cc
index 83379d8bb..4200859e7 100644
--- a/repos/os/src/server/log_report/main.cc
+++ b/repos/os/src/server/log_report/main.cc
@@ -85,7 +85,7 @@ class Report::Root : public Genode::Root_component<Session_component>
 
 			/* read report buffer size from session arguments */
 			size_t const buffer_size =
-				Arg_string::find_arg(args, "buffer_size").long_value(0);
+				Arg_string::find_arg(args, "buffer_size").ulong_value(0);
 
 			return new (md_alloc())
 				Session_component(Session_component::Label(label), buffer_size);
diff --git a/repos/os/src/server/nitpicker/main.cc b/repos/os/src/server/nitpicker/main.cc
index bf1794ade..3e612125f 100644
--- a/repos/os/src/server/nitpicker/main.cc
+++ b/repos/os/src/server/nitpicker/main.cc
@@ -1045,7 +1045,7 @@ class Nitpicker::Root : public Genode::Root_component<Session_component>
 
 		void _upgrade_session(Session_component *s, const char *args)
 		{
-			size_t ram_quota = Arg_string::find_arg(args, "ram_quota").long_value(0);
+			size_t ram_quota = Arg_string::find_arg(args, "ram_quota").ulong_value(0);
 			s->upgrade_ram_quota(ram_quota);
 		}
 
diff --git a/repos/os/src/server/report_rom/report_service.h b/repos/os/src/server/report_rom/report_service.h
index 063a544a6..a290dd1fe 100644
--- a/repos/os/src/server/report_rom/report_service.h
+++ b/repos/os/src/server/report_rom/report_service.h
@@ -92,7 +92,7 @@ struct Report::Root : Genode::Root_component<Session_component>
 
 			/* read report buffer size from session arguments */
 			size_t const buffer_size =
-				Arg_string::find_arg(args, "buffer_size").long_value(0);
+				Arg_string::find_arg(args, "buffer_size").ulong_value(0);
 
 			return new (md_alloc())
 				Session_component(Rom::Module::Name(label), buffer_size,
diff --git a/repos/ports/src/app/gdb_monitor/app_child.h b/repos/ports/src/app/gdb_monitor/app_child.h
index 578be8780..614475e5a 100644
--- a/repos/ports/src/app/gdb_monitor/app_child.h
+++ b/repos/ports/src/app/gdb_monitor/app_child.h
@@ -180,7 +180,7 @@ namespace Gdb_monitor {
 
 						Genode::size_t ram_quota =
 							Arg_string::find_arg(args.string(),
-							                     "ram_quota").long_value(0);
+							                     "ram_quota").ulong_value(0);
 
 						/* forward session quota to child */
 						env()->ram_session()->transfer_quota(_child_ram, ram_quota);
@@ -209,7 +209,7 @@ namespace Gdb_monitor {
 
 						Genode::size_t ram_quota =
 							Arg_string::find_arg(args.string(),
-							                     "ram_quota").long_value(0);
+							                     "ram_quota").ulong_value(0);
 
 						/* forward session quota to child */
 						env()->ram_session()->transfer_quota(_child_ram, ram_quota);