Xen project Mailing List

Re: [win-pv-devel] [PATCH] Alloc/Free memory for FrontendPath and TargetPath

To: Owen Smith <owen.smith@xxxxxxxxxx>, "win-pv-devel@xxxxxxxxxxxxxxxxxxxx" <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>

From: "Durrant, Paul" <pdurrant@xxxxxxxxxxxx>

Date: Wed, 15 Jan 2020 10:36:20 +0000

Accept-language: en-GB, en-US

Delivery-date: Wed, 15 Jan 2020 12:16:23 +0000

Ironport-sdr: TgKCegOXfDwhwdUnrIAob5SwxlxsKnJpTr9P4KwlBWVAOyavHZ5FkQL4M1fTlo5/AP5X8VydRg t8S47LPU4RFA==

List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

Thread-index: AQHVy4w60PaZSE0/jk+phBt4kVka/afrhbUQ

Thread-topic: [win-pv-devel] [PATCH] Alloc/Free memory for FrontendPath and TargetPath

> -----Original Message----- > From: win-pv-devel <win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx> On Behalf > Of Owen Smith > Sent: 15 January 2020 11:11 > To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx > Cc: Owen Smith <owen.smith@xxxxxxxxxx> > Subject: [win-pv-devel] [PATCH] Alloc/Free memory for FrontendPath and > TargetPath > > Using a static sized buffer for FrontendPath triggered failures when > the DeviceId is longer than 8 characters, as the RtlStringCbPrintfA call > failed to prefent a buffer overflow. There should be an upper bound on the size of the id though... My reading of https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=docs/man/xen-vbd-interface.7.pandoc;;hb=HEAD says that a decimal representation of: 1 << 28 | 0xfffff << 8 | 0xff ought to be the limit and by my reckoning that's 9 digits, so I think one extra 'X' should be enough, shouldn't it? Also, isn't a 4 character target id always going to be enough? Paul > > Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx> > --- > src/xenvbd/frontend.c | 63 +++++++++++++++++++++++++++++++++++++++------- > ----- > 1 file changed, 49 insertions(+), 14 deletions(-) > > diff --git a/src/xenvbd/frontend.c b/src/xenvbd/frontend.c > index 3fa19a0..f6df88d 100644 > --- a/src/xenvbd/frontend.c > +++ b/src/xenvbd/frontend.c > @@ -62,9 +62,9 @@ struct _XENVBD_FRONTEND { > PXENVBD_TARGET Target; > ULONG TargetId; > ULONG DeviceId; > - CHAR > FrontendPath[sizeof("device/vbd/XXXXXXXX")]; > + PCHAR FrontendPath; > PCHAR BackendPath; > - CHAR > TargetPath[sizeof("data/scsi/target/XXXX")]; > + PCHAR TargetPath; > USHORT BackendDomain; > XENVBD_STATE State; > KSPIN_LOCK StateLock; > @@ -1615,7 +1615,7 @@ FrontendDebugCallback( > XENBUS_DEBUG(Printf, > &Frontend->DebugInterface, > "FrontendPath: %s\n", > - Frontend->FrontendPath); > + Frontend->FrontendPath ? Frontend->FrontendPath : > "NULL"); > XENBUS_DEBUG(Printf, > &Frontend->DebugInterface, > "BackendPath: %s\n", > @@ -1623,7 +1623,7 @@ FrontendDebugCallback( > XENBUS_DEBUG(Printf, > &Frontend->DebugInterface, > "TargetPath: %s\n", > - Frontend->TargetPath); > + Frontend->TargetPath ? Frontend->TargetPath : "NULL"); > XENBUS_DEBUG(Printf, > &Frontend->DebugInterface, > "State: %s\n", > @@ -1879,6 +1879,7 @@ FrontendCreate( > ) > { > PXENVBD_FRONTEND Frontend; > + ULONG Size; > NTSTATUS status; > > Trace("Target[%d] @ (%d) =====>\n", TargetId, KeGetCurrentIrql()); > @@ -1902,31 +1903,51 @@ FrontendCreate( > __FrontendGetTargetId(Frontend), > Frontend->MaxQueues); > > + Size = (ULONG)(strlen("device/vbd/") + > + strlen(DeviceId) + > + 1) * sizeof(CHAR); > + > + Frontend->FrontendPath = __FrontendAlloc(Size); > + > + status = STATUS_NO_MEMORY; > + if (Frontend->FrontendPath == NULL) > + goto fail2; > + > status = RtlStringCbPrintfA(Frontend->FrontendPath, > - sizeof(Frontend->FrontendPath), > + Size, > "device/vbd/%u", > Frontend->DeviceId); > if (!NT_SUCCESS(status)) > - goto fail2; > + goto fail3; > + > + Size = (ULONG)(strlen("data/scsi/target/") + > + strlen("XXXX") + > + 1) * sizeof(CHAR); > + > + Frontend->TargetPath = __FrontendAlloc(Size); > + > + status = STATUS_NO_MEMORY; > + if (Frontend->TargetPath == NULL) > + goto fail4; > > status = RtlStringCbPrintfA(Frontend->TargetPath, > sizeof(Frontend->TargetPath), > "data/scsi/target/%u", > TargetId); > if (!NT_SUCCESS(status)) > - goto fail3; > + goto fail5; > > status = RingCreate(Frontend, &Frontend->Ring); > if (!NT_SUCCESS(status)) > - goto fail4; > + goto fail6; > > status = GranterCreate(Frontend, &Frontend->Granter); > if (!NT_SUCCESS(status)) > - goto fail5; > + goto fail7; > > status = ThreadCreate(FrontendBackend, Frontend, &Frontend- > >BackendThread); > if (!NT_SUCCESS(status)) > - goto fail6; > + goto fail8; > > // kernel objects > KeInitializeSpinLock(&Frontend->StateLock); > @@ -1935,18 +1956,26 @@ FrontendCreate( > *_Frontend = Frontend; > return STATUS_SUCCESS; > > -fail6: > - Error("fail6\n"); > +fail8: > + Error("fail8\n"); > GranterDestroy(Frontend->Granter); > Frontend->Granter = NULL; > -fail5: > - Error("fail5\n"); > +fail7: > + Error("fail7\n"); > RingDestroy(Frontend->Ring); > Frontend->Ring = NULL; > +fail6: > + Error("fail6\n"); > +fail5: > + Error("fail5\n"); > + __FrontendFree(Frontend->TargetPath); > + Frontend->TargetPath = NULL; > fail4: > Error("fail4\n"); > fail3: > Error("fail3\n"); > + __FrontendFree(Frontend->FrontendPath); > + Frontend->FrontendPath = NULL; > fail2: > Error("Fail2\n"); > Frontend->Target = NULL; > @@ -1991,6 +2020,12 @@ FrontendDestroy( > RingDestroy(Frontend->Ring); > Frontend->Ring = NULL; > > + __FrontendFree(Frontend->TargetPath); > + Frontend->TargetPath = NULL; > + > + __FrontendFree(Frontend->FrontendPath); > + Frontend->FrontendPath = NULL; > + > Frontend->MaxQueues = 0; > > ASSERT3P(Frontend->BackendPath, ==, NULL); > -- > 2.16.2.windows.1 > > > _______________________________________________ > win-pv-devel mailing list > win-pv-devel@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/mailman/listinfo/win-pv-devel _______________________________________________ win-pv-devel mailing list win-pv-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/win-pv-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.