Commit 7bd92756 authored by Prasad J Pandit's avatar Prasad J Pandit Committed by Greg Kurz
Browse files

9pfs: use g_malloc0 to allocate space for xattr 



9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.

Reported-by: default avatarTuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarGreg Kurz <groug@kaod.org>
parent 40a1e8ac

hw/9pfs/9p.c

+2 −2
Original line number Diff line number Diff line
@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) 
        xattr_fidp->fid_type = P9_FID_XATTR;

        xattr_fidp->fs.xattr.xattrwalk_fid = true;

        if (size) {

            xattr_fidp->fs.xattr.value = g_malloc(size);

            xattr_fidp->fs.xattr.value = g_malloc0(size);

            err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,

                                     xattr_fidp->fs.xattr.value,

                                     xattr_fidp->fs.xattr.len);
@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) 
        xattr_fidp->fid_type = P9_FID_XATTR;

        xattr_fidp->fs.xattr.xattrwalk_fid = true;

        if (size) {

            xattr_fidp->fs.xattr.value = g_malloc(size);

            xattr_fidp->fs.xattr.value = g_malloc0(size);

            err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,

                                    &name, xattr_fidp->fs.xattr.value,

                                    xattr_fidp->fs.xattr.len);