[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Mar 2018 03:43:22 +0100
Cc: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx
Delivery-date: Thu, 15 Mar 2018 02:46:40 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

By guaranteeing that the argument of XS_TRANSACTION_END is valid we can
assume that the transaction has been closed when we get an XS_ERROR
response from xenstore (Note that we already verify that it's a valid
transaction id).

Signed-off-by: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c 
b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 81a84b3c1c50..0d6d9264d6a9 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -429,6 +429,10 @@ static int xenbus_write_transaction(unsigned msg_type,
 {
        int rc;
        struct xenbus_transaction_holder *trans = NULL;
+       struct {
+               struct xsd_sockmsg hdr;
+               char body[];
+       } *msg = (void *)u->u.buffer;
 
        if (msg_type == XS_TRANSACTION_START) {
                trans = kzalloc(sizeof(*trans), GFP_KERNEL);
@@ -437,11 +441,15 @@ static int xenbus_write_transaction(unsigned msg_type,
                        goto out;
                }
                list_add(&trans->list, &u->transactions);
-       } else if (u->u.msg.tx_id != 0 &&
-                  !xenbus_get_transaction(u, u->u.msg.tx_id))
+       } else if (msg->hdr.tx_id != 0 &&
+                  !xenbus_get_transaction(u, msg->hdr.tx_id))
                return xenbus_command_reply(u, XS_ERROR, "ENOENT");
+       else if (msg_type == XS_TRANSACTION_END &&
+                !(msg->hdr.len == 2 &&
+                  (!strcmp(msg->body, "T") || !strcmp(msg->body, "F"))))
+               return xenbus_command_reply(u, XS_ERROR, "EINVAL");
 
-       rc = xenbus_dev_request_and_reply(&u->u.msg, u);
+       rc = xenbus_dev_request_and_reply(&msg->hdr, u);
        if (rc && trans) {
                list_del(&trans->list);
                kfree(trans);
-- 
2.16.2


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
  - From: Juergen Gross

References:
- [Xen-devel] [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
  - From: Simon Gaiser

Prev by Date: [Xen-devel] [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
Next by Date: [Xen-devel] [PATCH] xen: xenbus_dev_frontend: Really return response string
Previous by thread: Re: [Xen-devel] [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
Next by thread: Re: [Xen-devel] [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.