[Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string

[Greg Kurz]

A buggy guest using the 9p2000.u protocol can issue a create request and
pass an empty string as the extension argument. This causes QEMU to crash
in the case of a hard link or a special file, and leads to undefined
behavior, depending on the backend, in the case of a symbolic link.

This patch causes the request to fail with EINVAL in these scenarios.

Signed-off-by: Greg Kurz <address@hidden>
---
 hw/9pfs/9p.c |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 7b1dfe4e47cb..dc65c3125006 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2150,6 +2150,11 @@ static void v9fs_create(void *opaque)
         }
         fidp->fid_type = P9_FID_DIR;
     } else if (perm & P9_STAT_MODE_SYMLINK) {
+        if (extension.data == NULL) {
+            err = -EINVAL;
+            goto out;
+        }
+
         err = v9fs_co_symlink(pdu, fidp, &name,
                               extension.data, -1 , &stbuf);
         if (err < 0) {
@@ -2161,8 +2166,15 @@ static void v9fs_create(void *opaque)
         }
         v9fs_path_copy(&fidp->path, &path);
     } else if (perm & P9_STAT_MODE_LINK) {
-        int32_t ofid = atoi(extension.data);
-        V9fsFidState *ofidp = get_fid(pdu, ofid);
+        V9fsFidState *ofidp;
+
+        if (extension.data == NULL) {
+            err = -EINVAL;
+            goto out;
+        }
+
+        ofidp = get_fid(pdu, atoi(extension.data));
+
         if (ofidp == NULL) {
             err = -EINVAL;
             goto out;
@@ -2188,6 +2200,11 @@ static void v9fs_create(void *opaque)
         uint32_t major, minor;
         mode_t nmode = 0;
 
+        if (extension.data == NULL) {
+            err = -EINVAL;
+            goto out;
+        }
+
         if (sscanf(extension.data, "%c %u %u", &ctype, &major, &minor) != 3) {
             err = -errno;
             goto out;