[Xen-changelog] [linux-2.6.18-xen] xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX

[Xen patchbot-linux-2.6.18-xen <patchbot@xxxxxxx>]

# HG changeset patch
# User Ian Campbell <ian.campbell@xxxxxxxxxx>
# Date 1325755282 -3600
# Node ID 821a5b2a10c86f18fbce0907af0db6905b9d540a
# Parent  bf19dd41c5c9bf6a30d8405a9e1f3b17884b1e4e
xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX

This also avoids a potential integer overflow pointed out by Haogang
Chen.

Also use this in struct xenbus_dev_data even though it happens to be
== PAGE_SIZE.

The code which takes requests from userspace already validates against
the size of this buffer so no further checks are required to ensure
that userspace requests comply with the protocol in this respect.

Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Cc: Haogang Chen <haogangchen@xxxxxxxxx>
Committed-by: Jan Beulich <jbeulich@xxxxxxxx>
---


diff -r bf19dd41c5c9 -r 821a5b2a10c8 drivers/xen/xenbus/xenbus_dev.c
--- a/drivers/xen/xenbus/xenbus_dev.c   Thu Jan 05 09:37:01 2012 +0100
+++ b/drivers/xen/xenbus/xenbus_dev.c   Thu Jan 05 10:21:22 2012 +0100
@@ -78,7 +78,7 @@
        unsigned int len;
        union {
                struct xsd_sockmsg msg;
-               char buffer[PAGE_SIZE];
+               char buffer[XENSTORE_PAYLOAD_MAX];
        } u;
 
        /* Response queue. */
diff -r bf19dd41c5c9 -r 821a5b2a10c8 drivers/xen/xenbus/xenbus_xs.c
--- a/drivers/xen/xenbus/xenbus_xs.c    Thu Jan 05 09:37:01 2012 +0100
+++ b/drivers/xen/xenbus/xenbus_xs.c    Thu Jan 05 10:21:22 2012 +0100
@@ -847,6 +847,12 @@
                goto out;
        }
 
+       if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
+               kfree(msg);
+               err = -EINVAL;
+               goto out;
+       }
+
        body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
        if (body == NULL) {
                kfree(msg);

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog