]>
Commit | Line | Data |
---|---|---|
95259824 WB |
1 | From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001 |
2 | From: Li Qiang <liqiang6-s@360.cn> | |
3 | Date: Tue, 11 Oct 2016 09:27:45 +0200 | |
4 | Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings | |
5 | ||
6 | If a guest sends an empty string paramater to any 9P operation, the current | |
7 | code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. | |
8 | ||
9 | This is unfortunate because it can cause NULL pointer dereference to happen | |
10 | at various locations in the 9pfs code. And we don't want to check str->data | |
11 | everywhere we pass it to strcmp() or any other function which expects a | |
12 | dereferenceable pointer. | |
13 | ||
14 | This patch enforces the allocation of genuine C empty strings instead, so | |
15 | callers don't have to bother. | |
16 | ||
17 | Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if | |
18 | the returned string is empty. It now uses v9fs_string_size() since | |
19 | name.data cannot be NULL anymore. | |
20 | ||
21 | Signed-off-by: Li Qiang <liqiang6-s@360.cn> | |
22 | [groug, rewritten title and changelog, | |
23 | fix empty string check in v9fs_xattrwalk()] | |
24 | Signed-off-by: Greg Kurz <groug@kaod.org> | |
25 | --- | |
26 | fsdev/9p-iov-marshal.c | 2 +- | |
27 | hw/9pfs/9p.c | 2 +- | |
28 | 2 files changed, 2 insertions(+), 2 deletions(-) | |
29 | ||
30 | diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c | |
31 | index 663cad5..1d16f8d 100644 | |
32 | --- a/fsdev/9p-iov-marshal.c | |
33 | +++ b/fsdev/9p-iov-marshal.c | |
34 | @@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, | |
35 | str->data = g_malloc(str->size + 1); | |
36 | copied = v9fs_unpack(str->data, out_sg, out_num, offset, | |
37 | str->size); | |
38 | - if (copied > 0) { | |
39 | + if (copied >= 0) { | |
40 | str->data[str->size] = 0; | |
41 | } else { | |
42 | v9fs_string_free(str); | |
43 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | |
44 | index 54e18a2..75ba5f1 100644 | |
45 | --- a/hw/9pfs/9p.c | |
46 | +++ b/hw/9pfs/9p.c | |
47 | @@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque) | |
48 | goto out; | |
49 | } | |
50 | v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); | |
51 | - if (name.data == NULL) { | |
52 | + if (!v9fs_string_size(&name)) { | |
53 | /* | |
54 | * listxattr request. Get the size first | |
55 | */ | |
56 | -- | |
57 | 2.1.4 | |
58 |