We shouldn't allow guests to create extended attribute with arbitrary sizes.
On linux hosts, the limit is XATTR_SIZE_MAX. Let's use it. Also, since the
9P protocol uses signed integers, we take care of not converting a negative
value into an insanely great size.
Signed-off-by: Greg Kurz <gr...@kaod.org>
---
hw/9pfs/9p.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 7705ead4b2ac..27af0072599a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3247,7 +3247,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
{
int flags;
int32_t fid;
- int64_t size;
+ uint64_t size;
ssize_t err = 0;
V9fsString name;
size_t offset = 7;
@@ -3262,6 +3262,11 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
}
trace_v9fs_xattrcreate(pdu->tag, pdu->id, fid, name.data, size, flags);
+ if (size > XATTR_SIZE_MAX) {
+ err = -E2BIG;
+ goto out_nofid;
+ }
+
file_fidp = get_fid(pdu, fid);
if (file_fidp == NULL) {
err = -EINVAL;
