external: normalize unambiguous hex file id lookup

cheese-cakee · cheese-cakee · commit 43b95cbc1167 · 2026-04-28T01:23:25.000+05:30
external_lookup_id() uses strict string comparison, so file[0xa:0xa] and file[10:10] (the same file) wont match when one side emits hex and the other decimal. Add a numeric comparison path, but only for unambiguous forms to preserve backward compatibility. The key insight from avagins review: a component like 11 is ambiguous it could mean decimal 11 or hex (0x11 = 17 decimal). Without the explicit 0x prefix, there is no way to know the users intent. file[11:17] and file[17:23] could silently match incorrectly. Parse rules: - 0x... => unambiguous hex (explicit prefix) - contains hex digits (a-f/A-F) => unambiguous hex - digits only => ambiguous, do NOT normalize-match Only normalize when BOTH the mnt_id AND inode components are unambiguous. Ambiguous IDs retain their literal/exact semantics. This narrow fix addresses backward compatibility concerns: - CRIU emits bare hex from %x (e.g., file[a:a]): unambiguous, normalizes - CRIU emits bare digits from %x (e.g., file[10:10]): ambiguous, doesnt normalize - User provides file[0xa:0xa]: unambiguous, matches to stored file[0xa:0xa] - User provides file[10:10]: ambiguous, matches to stored file[10:10] - file[10:10] will NOT normalize-match file[0xa:0xa] because the latter is unambiguous The previous approach was too broad. This explicitly documents where compatibility is preserved and where it is not. Fixes: #2951 Signed-off-by: Farzan Aman Khan <farzanaman99@gmail.com>
diff --git a/criu/external.c b/criu/external.c
@@ -1,3 +1,8 @@
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdlib.h>
+
 #include "common/err.h"
 #include "common/list.h"
 #include "cr_options.h"
@@ -8,6 +13,89 @@
 
 #include "net.h"
 
+static bool parse_external_id_component(const char *id, char delim, char **end, unsigned long long *val, bool * unambiguous)
+{
+	char *tmp;
+	bool has_hex_digits = false;
+
+	/*
+	 * Parse with explicit hex prefix (0x...) as hex.
+	 * If no 0x prefix, check whether the component contains
+	 * hex digits (a-f/A-F). If it does, it's unambiguously hex.
+	 * If it's only decimal digits, mark as ambiguous -- we cannot
+	 * infer whether the user meant decimal or hex without the
+	 * explicit prefix.
+	 *
+	 * This avoids the ambiguity where file[11:17] could mean
+	 * decimal (11, 17) or hex (17=23 decimal). Only normalize
+	 * when both IDs are unambiguous to prevent silent miscorrection.
+	 */
+	if (id[0] == '0' && (id[1] == 'x' || id[1] == 'X')) {
+		errno = 0;
+		*val = strtoull(id, &tmp, 16);
+		if (errno || tmp == id || *tmp != delim)
+			return false;
+		*end = tmp;
+		*unambiguous = true;
+		return true;
+	}
+
+	/* Check for hex digits in the component (a-f/A-F) */
+	for (tmp = (char *)id; tmp < (char *)(id + 20) && *tmp != delim && *tmp != '\0'; tmp++) {
+		if ((*tmp >= 'a' && *tmp <= 'f') || (*tmp >= 'A' && *tmp <= 'F')) {
+			has_hex_digits = true;
+			break;
+		}
+	}
+
+	if (has_hex_digits) {
+		errno = 0;
+		*val = strtoull(id, &tmp, 16);
+		if (errno || tmp == id || *tmp != delim)
+			return false;
+		*end = tmp;
+		*unambiguous = true;
+		return true;
+	}
+
+	/* Digits only -- ambiguous, could be decimal or hex */
+	errno = 0;
+	*val = strtoull(id, &tmp, 10);
+	if (!errno && tmp != id && *tmp == delim) {
+		*end = tmp;
+		*unambiguous = false;
+		return true;
+	}
+
+	return false;
+}
+static bool parse_external_file_id(const char *id, unsigned int *mnt_id, uint64_t *inode, bool *unambiguous)
+{
+	char *end = NULL;
+	unsigned long long val;
+	bool mnt_unambiguous, inode_unambiguous;
+
+	if (!strstartswith(id, "file["))
+		return false;
+	id += strlen("file[");
+
+	if (!parse_external_id_component(id, ':', &end, &val, &mnt_unambiguous))
+		return false;
+	if (val > UINT_MAX)
+		return false;
+	*mnt_id = (unsigned int)val;
+
+	id = end + 1;
+	if (!parse_external_id_component(id, ']', &end, &val, &inode_unambiguous))
+		return false;
+	end++;
+	if (*end != '\0')
+		return false;
+
+	*inode = val;
+	*unambiguous = mnt_unambiguous && inode_unambiguous;
+	return true;
+}
 int add_external(char *key)
 {
 	struct external *ext;
@@ -39,10 +127,31 @@ int add_external(char *key)
 bool external_lookup_id(char *id)
 {
 	struct external *ext;
+	unsigned int id_mnt_id, ext_mnt_id;
+	uint64_t id_inode, ext_inode;
+	bool id_unambiguous, ext_unambiguous;
 
-	list_for_each_entry(ext, &opts.external, node)
+	if (!parse_external_file_id(id, &id_mnt_id, &id_inode, &id_unambiguous))
+		id_unambiguous = false;
+
+	list_for_each_entry(ext, &opts.external, node) {
 		if (!strcmp(ext->id, id))
 			return true;
+
+		/*
+		 * Only normalize when BOTH the queried ID and the stored ID
+		 * are unambiguous (explicit 0x prefix or explicit hex digits).
+		 * Ambiguous IDs (digit-only like 11) retain their literal semantics
+		 * and are not matched by normalization to avoid silent miscorrection.
+		 * This preserves backward compatibility with existing checkpoint
+		 * images while enabling proper matching for unambiguous forms.
+		 */
+		if (id_unambiguous &&
+		    parse_external_file_id(ext->id, &ext_mnt_id, &ext_inode, &ext_unambiguous) &&
+		    ext_unambiguous &&
+		    ext_mnt_id == id_mnt_id && ext_inode == id_inode)
+			return true;
+	}
 	return false;
 }
 
