From nobody Wed Nov 5 13:44:22 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 149806715430454.529727922240454; Wed, 21 Jun 2017 10:45:54 -0700 (PDT) Received: from localhost ([::1]:55344 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNjhR-00051I-2l for importer@patchew.org; Wed, 21 Jun 2017 13:45:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54111) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNjdv-0002dd-Nr for qemu-devel@nongnu.org; Wed, 21 Jun 2017 13:42:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNjds-0003vd-Bd for qemu-devel@nongnu.org; Wed, 21 Jun 2017 13:42:15 -0400 Received: from 4.mo5.mail-out.ovh.net ([178.33.111.247]:36306) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dNjds-0003ur-4m for qemu-devel@nongnu.org; Wed, 21 Jun 2017 13:42:12 -0400 Received: from player695.ha.ovh.net (b9.ovh.net [213.186.33.59]) by mo5.mail-out.ovh.net (Postfix) with ESMTP id AEC65107C37 for ; Wed, 21 Jun 2017 19:42:10 +0200 (CEST) Received: from bahia.lan (gar31-1-82-66-74-139.fbx.proxad.net [82.66.74.139]) (Authenticated sender: groug@kaod.org) by player695.ha.ovh.net (Postfix) with ESMTPA id 70411460073; Wed, 21 Jun 2017 19:42:07 +0200 (CEST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Wed, 21 Jun 2017 19:42:07 +0200 Message-ID: <149806692721.3840.2211779486273110064.stgit@bahia.lan> In-Reply-To: <149806690313.3840.13274158676579302242.stgit@bahia.lan> References: <149806690313.3840.13274158676579302242.stgit@bahia.lan> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Ovh-Tracer-Id: 12678195903672129969 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeeljedrledtgdduudelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 178.33.111.247 Subject: [Qemu-devel] [PATCH v3 2/4] virtio-9p: message header is 7-byte long X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Greg Kurz , "Michael S. Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 The 9p spec at http://man.cat-v.org/plan_9/5/intro reads: "Each 9P message begins with a four-byte size field specify- ing the length in bytes of the complete message including the four bytes of the size field itself. The next byte is the message type, one of the constants in the enumeration in the include file . The next two bytes are an iden- tifying tag, described below." ie, each message starts with a 7-byte long header. The core 9P code already assumes this pretty much everywhere. This patch does the following: - makes the assumption explicit in the common 9p.h header, since it isn't related to the transport - open codes the header size in handle_9p_output() and hardens the sanity check on the space needed for the reply message Signed-off-by: Greg Kurz --- hw/9pfs/9p.h | 5 +++++ hw/9pfs/virtio-9p-device.c | 8 +++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h index c886ba78d2ee..aac1b0b2ce3d 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -124,6 +124,11 @@ typedef struct { uint8_t id; uint16_t tag_le; } QEMU_PACKED P9MsgHeader; +/* According to the specification, 9p messages start with a 7-byte header. + * Since most of the code uses this header size in literal form, we must be + * sure this is indeed the case. + */ +QEMU_BUILD_BUG_ON(sizeof(P9MsgHeader) !=3D 7); =20 struct V9fsPDU { diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c index 3380bfc0c551..1a68c1622d3a 100644 --- a/hw/9pfs/virtio-9p-device.c +++ b/hw/9pfs/virtio-9p-device.c @@ -53,17 +53,15 @@ static void handle_9p_output(VirtIODevice *vdev, VirtQu= eue *vq) goto out_free_pdu; } =20 - if (elem->in_num =3D=3D 0) { + if (iov_size(elem->in_sg, elem->in_num) < 7) { virtio_error(vdev, "The guest sent a VirtFS request without space fo= r " "the reply"); goto out_free_req; } - QEMU_BUILD_BUG_ON(sizeof(out) !=3D 7); =20 - len =3D iov_to_buf(elem->out_sg, elem->out_num, 0, - &out, sizeof(out)); - if (len !=3D sizeof(out)) { + len =3D iov_to_buf(elem->out_sg, elem->out_num, 0, &out, 7); + if (len !=3D 7) { virtio_error(vdev, "The guest sent a malformed VirtFS request:= " "header size is %zd, should be 7", len); goto out_free_req;