On Mon, Sep 26, 2016 at 10:34:15AM +0200, Greg Kurz wrote: > A broken guest may send a request without providing buffers for the reply > or for the request itself, and virtqueue_pop() will return an element with > either in_num == 0 or out_num == 0. > > All 9P requests are expected to start with the following 7-byte header: > > uint32_t size_le; > uint8_t id; > uint16_t tag_le; > > If iov_to_buf() fails to return these 7 bytes, then something is wrong in > the guest. > > In both cases, it is wrong to crash QEMU, since the root cause lies in the > guest. > > This patch hence does the following: > - keep the check of in_num since pdu_complete() assumes it has enough > space to store the reply and we will send something broken to the guest > - let iov_to_buf() handle out_num == 0, since it will return 0 just like > if the guest had provided an zero-sized buffer. > - call virtio_error() to inform the guest that the device is now broken, > instead of aborting > - detach the request from the virtqueue and free it > > Signed-off-by: Greg Kurz <gr...@kaod.org> > --- > v3: - dropped the out_num check (already covered by iov_to_buf()) > - reworded the in_num error message > - added an error path to detach and free the virtqueue element > > I haven't added the R-b tags received during v2 because of the above > changes. > --- > hw/9pfs/virtio-9p-device.c | 26 +++++++++++++++++++++----- > 1 file changed, 21 insertions(+), 5 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature
