9pfs: Add validation to {un}marshal code

Stefan Hajnoczi Thu, 08 Dec 2011 10:59:59 -0800

On Mon, Dec 05, 2011 at 09:48:39PM +0530, M. Mohan Kumar wrote:
> @@ -187,59 +190,70 @@ size_t v9fs_unmarshal(struct iovec *out_sg, int 
> out_num, size_t offset,
>          }
>          case 's': {
>              V9fsString *str = va_arg(ap, V9fsString *);
> -            offset += v9fs_unmarshal(out_sg, out_num, offset, bswap,
> -                            "w", &str->size);
> -            /* FIXME: sanity check str->size */
> -            str->data = g_malloc(str->size + 1);
> -            offset += v9fs_unpack(str->data, out_sg, out_num, offset,
> -                            str->size);
> -            str->data[str->size] = 0;
> +            copied = v9fs_unmarshal(out_sg, out_num, offset, bswap,
> +                                    "w", &str->size);
> +            if (copied > 0) {
> +                offset += copied;
> +                str->data = g_malloc(str->size + 1);


str->size is signed int16_t, we need a check or the type should be
uint16_t.

Stefan

Re: [Qemu-devel] [PATCH V4 02/13] hw/9pfs: Add validation to {un}marshal code

Reply via email to