From patchwork Fri Aug 26 15:07:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kurz X-Patchwork-Id: 9301591 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 475D3601C0 for ; Fri, 26 Aug 2016 15:13:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3756429576 for ; Fri, 26 Aug 2016 15:13:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2BE8429629; Fri, 26 Aug 2016 15:13:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9EB4529576 for ; Fri, 26 Aug 2016 15:13:14 +0000 (UTC) Received: from localhost ([::1]:60951 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bdIoj-0006SV-AP for patchwork-qemu-devel@patchwork.kernel.org; Fri, 26 Aug 2016 11:13:13 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44514) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bdIj5-0001pv-Mk for qemu-devel@nongnu.org; Fri, 26 Aug 2016 11:07:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bdIj0-0002dX-O9 for qemu-devel@nongnu.org; Fri, 26 Aug 2016 11:07:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:20887 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bdIj0-0002dS-HT for qemu-devel@nongnu.org; Fri, 26 Aug 2016 11:07:18 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u7QF4QCi052895 for ; Fri, 26 Aug 2016 11:07:18 -0400 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0b-001b2d01.pphosted.com with ESMTP id 250tx2ygcv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 26 Aug 2016 11:07:17 -0400 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 26 Aug 2016 09:07:17 -0600 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 26 Aug 2016 09:07:13 -0600 X-IBM-Helo: d03dlp01.boulder.ibm.com X-IBM-MailFrom: groug@kaod.org Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 01C0A1FF0054; Fri, 26 Aug 2016 09:06:54 -0600 (MDT) Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u7QF7Cq710813796; Fri, 26 Aug 2016 08:07:12 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D30C478041; Fri, 26 Aug 2016 09:07:12 -0600 (MDT) Received: from bahia.lan (unknown [9.167.235.232]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 1FE427804D; Fri, 26 Aug 2016 09:07:10 -0600 (MDT) From: Greg Kurz To: qemu-devel@nongnu.org Date: Fri, 26 Aug 2016 17:07:08 +0200 In-Reply-To: <147222401281.18925.1894824578752486297.stgit@bahia.lan> References: <147222401281.18925.1894824578752486297.stgit@bahia.lan> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16082615-0016-0000-0000-000004840E83 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00005643; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000183; SDB=6.00750026; UDB=6.00354182; IPR=6.00522663; BA=6.00004676; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00012476; XFM=3.00000011; UTC=2016-08-26 15:07:15 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16082615-0017-0000-0000-0000325CBFF5 Message-Id: <147222402890.18925.12890875990211775724.stgit@bahia.lan> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-26_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=4 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608260194 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH v2 2/5] 9p: disallow the NUL character in all strings X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Felix Wilhelm , "Michael S. Tsirkin" , Greg Kurz , P J P , "Aneesh Kumar K.V" Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP According to the 9P spec at http://man.cat-v.org/plan_9/5/intro : Data items of larger or variable lengths are represented by a two-byte field specifying a count, n, followed by n bytes of data. Text strings are represented this way, with the text itself stored as a UTF-8 encoded sequence of Unicode charac- ters (see utf(6)). Text strings in 9P messages are not NUL- terminated: n counts the bytes of UTF-8 data, which include no final zero byte. The NUL character is illegal in all text strings in 9P, and is therefore excluded from file names, user names, and so on. With this patch, if a 9P client sends a text string containing a NUL character, the request will fail and the client is returned EINVAL. The checking is done in v9fs_iov_vunmarshal() because it is a convenient place to check all client originated strings. Suggested-by: Peter Maydell Signed-off-by: Greg Kurz Reviewed-by: Eric Blake --- fsdev/9p-iov-marshal.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c index 663cad542900..9bcdc370231d 100644 --- a/fsdev/9p-iov-marshal.c +++ b/fsdev/9p-iov-marshal.c @@ -127,7 +127,12 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, str->size); if (copied > 0) { str->data[str->size] = 0; - } else { + /* 9P forbids NUL characters in all text strings */ + if (strlen(str->data) != str->size) { + copied = -EINVAL; + } + } + if (copied <= 0) { v9fs_string_free(str); } }