[Qemu-devel] [PULL 8/8] 9pfs: handle transport errors in pdu_complete()

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kurz <groug@kaod.org>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, Greg Kurz <groug@kaod.org>
Subject: [Qemu-devel] [PULL 8/8] 9pfs: handle transport errors in pdu_complete()
Date: Thu, 29 Jun 2017 15:43:51 +0200	[thread overview]
Message-ID: <1498743831-28676-9-git-send-email-groug@kaod.org> (raw)
In-Reply-To: <1498743831-28676-1-git-send-email-groug@kaod.org>

Contrary to what is written in the comment, a buggy guest can misconfigure
the transport buffers and pdu_marshal() may return an error.  If this ever
happens, it is up to the transport layer to handle the situation (9P is
transport agnostic).

This fixes Coverity issue CID1348518.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
 hw/9pfs/9p.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 8e5cac71eb60..6c92bad5b3b4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -624,15 +624,11 @@ void pdu_free(V9fsPDU *pdu)
     QLIST_INSERT_HEAD(&s->free_list, pdu, next);
 }
 
-/*
- * We don't do error checking for pdu_marshal/unmarshal here
- * because we always expect to have enough space to encode
- * error details
- */
 static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
 {
     int8_t id = pdu->id + 1; /* Response */
     V9fsState *s = pdu->s;
+    int ret;
 
     if (len < 0) {
         int err = -len;
@@ -644,11 +640,19 @@ static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
             str.data = strerror(err);
             str.size = strlen(str.data);
 
-            len += pdu_marshal(pdu, len, "s", &str);
+            ret = pdu_marshal(pdu, len, "s", &str);
+            if (ret < 0) {
+                goto out_notify;
+            }
+            len += ret;
             id = P9_RERROR;
         }
 
-        len += pdu_marshal(pdu, len, "d", err);
+        ret = pdu_marshal(pdu, len, "d", err);
+        if (ret < 0) {
+            goto out_notify;
+        }
+        len += ret;
 
         if (s->proto_version == V9FS_PROTO_2000L) {
             id = P9_RLERROR;
@@ -657,12 +661,15 @@ static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
     }
 
     /* fill out the header */
-    pdu_marshal(pdu, 0, "dbw", (int32_t)len, id, pdu->tag);
+    if (pdu_marshal(pdu, 0, "dbw", (int32_t)len, id, pdu->tag) < 0) {
+        goto out_notify;
+    }
 
     /* keep these in sync */
     pdu->size = len;
     pdu->id = id;
 
+out_notify:
     pdu->s->transport->push_and_notify(pdu);
 
     /* Now wakeup anybody waiting in flush for this request */
-- 
2.7.5

next prev parent reply	other threads:[~2017-06-29 13:44 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-29 13:43 [Qemu-devel] [PULL 0/8] 9pfs patches for 2.10 20170629 Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 1/8] 9pfs: local: remove: use correct path component Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 2/8] 9pfs: local: Add support for custom fmode/dmode in 9ps mapped security modes Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 3/8] 9pfs: replace g_malloc()+memcpy() with g_memdup() Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 4/8] virtio-9p: record element after sanity checks Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 5/8] virtio-9p: message header is 7-byte long Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 6/8] virtio-9p: break device if buffers are misconfigured Greg Kurz
2017-06-29 13:43 ` [Qemu-devel] [PULL 7/8] xen-9pfs: disconnect " Greg Kurz
2017-06-29 13:43 ` Greg Kurz [this message]
2017-06-29 16:00 ` [Qemu-devel] [PULL 0/8] 9pfs patches for 2.10 20170629 Peter Maydell
2017-06-29 16:59   ` Greg Kurz

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8e5cac71eb6 dfblob:6c92bad5b3b )
 OR (
bs:"[Qemu-devel] [PULL 8/8] 9pfs: handle transport errors in pdu_complete()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1498743831-28676-9-git-send-email-groug@kaod.org \
    --to=groug@kaod.org \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).