[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string
From: |
Greg Kurz |
Subject: |
[Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string |
Date: |
Fri, 26 Aug 2016 17:07:34 +0200 |
User-agent: |
StGit/0.17.1-dirty |
A buggy guest using the 9p2000.u protocol can issue a create request and
pass an empty string as the extension argument. This causes QEMU to crash
in the case of a hard link or a special file, and leads to undefined
behavior, depending on the backend, in the case of a symbolic link.
This patch causes the request to fail with EINVAL in these scenarios.
Signed-off-by: Greg Kurz <address@hidden>
---
hw/9pfs/9p.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 7b1dfe4e47cb..dc65c3125006 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2150,6 +2150,11 @@ static void v9fs_create(void *opaque)
}
fidp->fid_type = P9_FID_DIR;
} else if (perm & P9_STAT_MODE_SYMLINK) {
+ if (extension.data == NULL) {
+ err = -EINVAL;
+ goto out;
+ }
+
err = v9fs_co_symlink(pdu, fidp, &name,
extension.data, -1 , &stbuf);
if (err < 0) {
@@ -2161,8 +2166,15 @@ static void v9fs_create(void *opaque)
}
v9fs_path_copy(&fidp->path, &path);
} else if (perm & P9_STAT_MODE_LINK) {
- int32_t ofid = atoi(extension.data);
- V9fsFidState *ofidp = get_fid(pdu, ofid);
+ V9fsFidState *ofidp;
+
+ if (extension.data == NULL) {
+ err = -EINVAL;
+ goto out;
+ }
+
+ ofidp = get_fid(pdu, atoi(extension.data));
+
if (ofidp == NULL) {
err = -EINVAL;
goto out;
@@ -2188,6 +2200,11 @@ static void v9fs_create(void *opaque)
uint32_t major, minor;
mode_t nmode = 0;
+ if (extension.data == NULL) {
+ err = -EINVAL;
+ goto out;
+ }
+
if (sscanf(extension.data, "%c %u %u", &ctype, &major, &minor) != 3) {
err = -errno;
goto out;
- Re: [Qemu-devel] [PATCH v2 1/5] 9p: forbid illegal path names, (continued)
- [Qemu-devel] [PATCH v2 2/5] 9p: disallow the NUL character in all strings, Greg Kurz, 2016/08/26
- [Qemu-devel] [PATCH v2 3/5] 9p: forbid . and .. in file names, Greg Kurz, 2016/08/26
- [Qemu-devel] [PATCH v2 4/5] 9p: handle walk of ".." in the root directory, Greg Kurz, 2016/08/26
- [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string,
Greg Kurz <=
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Eric Blake, 2016/08/26
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Michael S. Tsirkin, 2016/08/26
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Greg Kurz, 2016/08/28
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Greg Kurz, 2016/08/28
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Eric Blake, 2016/08/29
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Greg Kurz, 2016/08/30
- Re: [Qemu-devel] [PATCH v2 5/5] 9p: forbid empty extension string, Peter Maydell, 2016/08/28