On 17.01.22 05:12, Raphael Norwitz wrote:
> Today if multiple FDs are sent from the VMM to the backend in a
> VHOST_USER_ADD_MEM_REG message, one FD will be mapped and the remaining
> FDs will be leaked. Therefore if multiple FDs are sent we report an
> error and fail the operation, closing all FDs in the message.
>
> Likewise in case the VMM sends a message with a size less than that
> of a memory region descriptor, we add a check to gracefully report an
> error and fail the operation rather than crashing.
>
> Signed-off-by: Raphael Norwitz <raphael.norw...@nutanix.com>
> ---
> subprojects/libvhost-user/libvhost-user.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/subprojects/libvhost-user/libvhost-user.c
> b/subprojects/libvhost-user/libvhost-user.c
> index b09b1c269e..1a8fc9d600 100644
> --- a/subprojects/libvhost-user/libvhost-user.c
> +++ b/subprojects/libvhost-user/libvhost-user.c
> @@ -690,6 +690,21 @@ vu_add_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
> VuDevRegion *dev_region = &dev->regions[dev->nregions];
> void *mmap_addr;
>
> + if (vmsg->fd_num != 1) {
> + vmsg_close_fds(vmsg);
> + vu_panic(dev, "VHOST_USER_ADD_MEM_REG received %d fds - only 1 fd "
> + "should be sent for this message type", vmsg->fd_num);
> + return false;
> + }
> +
> + if (vmsg->size < VHOST_USER_MEM_REG_SIZE) {
> + close(vmsg->fds[0]);
Same comment as for patch #1
Reviewed-by: David Hildenbrand <da...@redhat.com>
--
Thanks,
David / dhildenb
