1 From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001
2 From: Li Qiang <liqiang6-s@360.cn>
3 Date: Tue, 11 Oct 2016 09:27:45 +0200
4 Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings
6 If a guest sends an empty string paramater to any 9P operation, the current
7 code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
9 This is unfortunate because it can cause NULL pointer dereference to happen
10 at various locations in the 9pfs code. And we don't want to check str->data
11 everywhere we pass it to strcmp() or any other function which expects a
12 dereferenceable pointer.
14 This patch enforces the allocation of genuine C empty strings instead, so
15 callers don't have to bother.
17 Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
18 the returned string is empty. It now uses v9fs_string_size() since
19 name.data cannot be NULL anymore.
21 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
22 [groug, rewritten title and changelog,
23 fix empty string check in v9fs_xattrwalk()]
24 Signed-off-by: Greg Kurz <groug@kaod.org>
26 fsdev/9p-iov-marshal.c | 2 +-
28 2 files changed, 2 insertions(+), 2 deletions(-)
30 diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
31 index 663cad5..1d16f8d 100644
32 --- a/fsdev/9p-iov-marshal.c
33 +++ b/fsdev/9p-iov-marshal.c
34 @@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
35 str->data = g_malloc(str->size + 1);
36 copied = v9fs_unpack(str->data, out_sg, out_num, offset,
40 str->data[str->size] = 0;
42 v9fs_string_free(str);
43 diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
44 index 54e18a2..75ba5f1 100644
47 @@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque)
50 v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
51 - if (name.data == NULL) {
52 + if (!v9fs_string_size(&name)) {
54 * listxattr request. Get the size first
projects / pve-qemu-kvm.git / blob