Commit 772a7369 authored by Jan Dakinevich's avatar Jan Dakinevich Committed by Greg Kurz
Browse files

9pfs: check the size of transport buffer before marshaling 



v9fs_do_readdir_with_stat() should check for a maximum buffer size
before an attempt to marshal gathered data. Otherwise, buffers assumed
as misconfigured and the transport would be broken.

The patch brings v9fs_do_readdir_with_stat() in conformity with
v9fs_do_readdir() behavior.

Signed-off-by: default avatarJan Dakinevich <jan.dakinevich@gmail.com>
[groug, regression caused my commit 8d37de41 # 2.10]
Signed-off-by: default avatarGreg Kurz <groug@kaod.org>
parent 4d8bc733

hw/9pfs/9p.c

+12 −3
Original line number Diff line number Diff line
@@ -1748,17 +1748,26 @@ static int coroutine_fn v9fs_do_readdir_with_stat(V9fsPDU *pdu, 
        if (err < 0) {

            break;

        }

        if ((count + v9stat.size + 2) > max_count) {

            v9fs_readdir_unlock(&fidp->fs.dir);



            /* Ran out of buffer. Set dir back to old position and return */

            v9fs_co_seekdir(pdu, fidp, saved_dir_pos);

            v9fs_stat_free(&v9stat);

            v9fs_path_free(&path);

            return count;

        }



        /* 11 = 7 + 4 (7 = start offset, 4 = space for storing count) */

        len = pdu_marshal(pdu, 11 + count, "S", &v9stat);



        v9fs_readdir_unlock(&fidp->fs.dir);



        if ((len != (v9stat.size + 2)) || ((count + len) > max_count)) {

            /* Ran out of buffer. Set dir back to old position and return */

        if (len < 0) {

            v9fs_co_seekdir(pdu, fidp, saved_dir_pos);

            v9fs_stat_free(&v9stat);

            v9fs_path_free(&path);

            return count;

            return len;

        }

        count += len;

        v9fs_stat_free(&v9stat);