[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 01/12] 9pfs: allocate space for guest originated empt
|
From: |
Greg Kurz |
|
Subject: |
[Qemu-devel] [PULL 01/12] 9pfs: allocate space for guest originated empty strings |
|
Date: |
Mon, 17 Oct 2016 17:05:43 +0200 |
From: Li Qiang <address@hidden>
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <address@hidden>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <address@hidden>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad542900..1d16f8df4bd4 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int
out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee584969b..39a7e1d52d2a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/
--
2.5.5
- [Qemu-devel] [PULL 00/12] 9p patches for 2.8 20161017, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 02/12] 9pfs: fix potential host memory leak in v9fs_read, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 01/12] 9pfs: allocate space for guest originated empty strings,
Greg Kurz <=
- [Qemu-devel] [PULL 06/12] 9pfs: drop useless check in pdu_free(), Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 05/12] 9pfs: use coroutine_fn annotation in hw/9pfs/9p.[ch], Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 04/12] 9pfs: use coroutine_fn annotation in hw/9pfs/co*.[ch], Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 03/12] 9pfs: fsdev: drop useless extern annotation for functions, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 08/12] virtio-9p: add reset handler, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 07/12] 9pfs: only free completed request if not flushed, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 11/12] 9pfs: fix memory leak in v9fs_link, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 10/12] 9pfs: fix memory leak in v9fs_xattrcreate, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 09/12] 9pfs: fix information leak in xattr read, Greg Kurz, 2016/10/17
- [Qemu-devel] [PULL 12/12] 9pfs: fix memory leak in v9fs_write, Greg Kurz, 2016/10/17