|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v2] xenbus: reject unterminated directory replies
split_strings() walks each directory entry with strlen(). Although the
transport adds a terminator after the reply buffer, a malformed reply
without a final NUL inside its advertised length would let that walk
cross the protocol payload boundary.
Reject such replies before counting the strings. Report the protocol
violation once and return -EIO to the caller.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
Changes in v2:
- Reject malformed replies instead of copying the transport-added
terminator, as suggested by Juergen Gross.
drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index c202e7c55..d1cca4acb 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -417,6 +417,12 @@ static char **split_strings(char *strings, unsigned int
len, unsigned int *num)
{
char *p, **ret;
+ if (len && strings[len - 1]) {
+ pr_err_once("malformed XS_DIRECTORY reply\n");
+ kfree(strings);
+ return ERR_PTR(-EIO);
+ }
+
/* Count the strings. */
*num = count_strings(strings, len);
--
2.54.0
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |