9p/xen: check logical size for buffer size

author Dominique Martinet <asmadeus@codewreck.org>

Fri, 18 Nov 2022 13:44:41 +0000 (22:44 +0900)

committer Dominique Martinet <asmadeus@codewreck.org>

Wed, 23 Nov 2022 05:01:27 +0000 (14:01 +0900)
author Dominique Martinet <asmadeus@codewreck.org>
Fri, 18 Nov 2022 13:44:41 +0000 (22:44 +0900)
committer Dominique Martinet <asmadeus@codewreck.org>
Wed, 23 Nov 2022 05:01:27 +0000 (14:01 +0900)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c

index b15c64128c3e58e7c93bcfe94a3ffa28ffad2611..aaa5fd364691b0bd32957f56a36a80d4989ed7d1 100644 (file)
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -208,6 +208,14 @@ static void p9_xen_response(struct work_struct *work)
                         continue;
                 }
  
+               if (h.size > req->rc.capacity) {
+                       dev_warn(&priv->dev->dev,
+                                "requested packet size too big: %d for tag %d with capacity %zd\n",
+                                h.size, h.tag, req->rc.capacity);
+                       req->status = REQ_STATUS_ERROR;
+                       goto recv_error;
+               }
+
                 memcpy(&req->rc, &h, sizeof(h));
                 req->rc.offset = 0;
  
@@ -217,6 +225,7 @@ static void p9_xen_response(struct work_struct *work)
                                      masked_prod, &masked_cons,
                                      XEN_9PFS_RING_SIZE(ring));
  
+recv_error:
                 virt_mb();
                 cons += h.size;
                 ring->intf->in_cons = cons;
author	Dominique Martinet <asmadeus@codewreck.org>
	Fri, 18 Nov 2022 13:44:41 +0000 (22:44 +0900)
committer	Dominique Martinet <asmadeus@codewreck.org>
	Wed, 23 Nov 2022 05:01:27 +0000 (14:01 +0900)