[PATCH v2] xenbus: reject unterminated directory replies

Yousef Alhouseen posted 1 patch 1 week ago
Failed in applying to current master (apply log)
There is a newer version of this series
drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH v2] xenbus: reject unterminated directory replies
Posted by Yousef Alhouseen 1 week ago
split_strings() walks each directory entry with strlen(). Although the
transport adds a terminator after the reply buffer, a malformed reply
without a final NUL inside its advertised length would let that walk
cross the protocol payload boundary.

Reject such replies before counting the strings. Report the protocol
violation once and return -EIO to the caller.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
Changes in v2:
- Reject malformed replies instead of copying the transport-added
  terminator, as suggested by Juergen Gross.

 drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index c202e7c55..d1cca4acb 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -417,6 +417,12 @@ static char **split_strings(char *strings, unsigned int len, unsigned int *num)
 {
 	char *p, **ret;
 
+	if (len && strings[len - 1]) {
+		pr_err_once("malformed XS_DIRECTORY reply\n");
+		kfree(strings);
+		return ERR_PTR(-EIO);
+	}
+
 	/* Count the strings. */
 	*num = count_strings(strings, len);
 
-- 
2.54.0
Re: [PATCH v2] xenbus: reject unterminated directory replies
Posted by Jürgen Groß 3 days, 12 hours ago
On 27.06.26 00:37, Yousef Alhouseen wrote:
> split_strings() walks each directory entry with strlen(). Although the
> transport adds a terminator after the reply buffer, a malformed reply
> without a final NUL inside its advertised length would let that walk
> cross the protocol payload boundary.
> 
> Reject such replies before counting the strings. Report the protocol
> violation once and return -EIO to the caller.
> 
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>

Reviewed-by: Juergen Gross <jgross@suse.com>


Juergen