From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dominique Martinet Subject: Re: [PATCH] 9p: validate PDU length Date: Wed, 25 Jul 2018 06:11:39 +0200 Message-ID: <20180725041139.GB11041@nautica> References: <20180723154404.2406-1-tomasbortoli@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com To: Tomas Bortoli Return-path: Content-Disposition: inline In-Reply-To: <20180723154404.2406-1-tomasbortoli@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Tomas Bortoli wrote on Mon, Jul 23, 2018: > diff --git a/net/9p/client.c b/net/9p/client.c > index 18c5271910dc..92240ccf476b 100644 > --- a/net/9p/client.c > +++ b/net/9p/client.c > @@ -524,6 +525,12 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req) > int ecode; > > err = p9_parse_header(req->rc, NULL, &type, NULL, 0); > + if (req->rc->size >= c->msize) { I was looking at this again, I think it's more appropriate to use req->rc->capacity at this point like you did in the first version of the patch. I had suggested msize in the common p9_parse_header function because that'd let us accept zc requests where the size in the pdu could be bigger than capacity, but this isn't the case in p9_check_errors. If you're ok with this I'll edit your commit directly, this is less work for me than having to check a new patch. Thanks, -- Dominique