summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYousef Alhouseen <alhouseenyousef@gmail.com>2026-06-27 00:37:38 +0200
committerJuergen Gross <jgross@suse.com>2026-07-01 10:01:14 +0200
commitcbbef43bdc083892a2d4787245c249502c215bb8 (patch)
tree0b69f8ae85d7101e20b87e6975111ececf0dc7ce
parent2299822f3f466b5dcad2377bf63986199f881a6b (diff)
downloadlinux-next-cbbef43bdc083892a2d4787245c249502c215bb8.tar.gz
linux-next-cbbef43bdc083892a2d4787245c249502c215bb8.zip
xenbus: reject unterminated directory replies
split_strings() walks each directory entry with strlen(). Although the transport adds a terminator after the reply buffer, a malformed reply without a final NUL inside its advertised length would let that walk cross the protocol payload boundary. Reject such replies before counting the strings. Report the protocol violation once and return -EIO to the caller. Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Message-ID: <20260626223738.43742-1-alhouseenyousef@gmail.com>
-rw-r--r--drivers/xen/xenbus/xenbus_xs.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index c202e7c553a6..d1cca4acb6f3 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -417,6 +417,12 @@ static char **split_strings(char *strings, unsigned int len, unsigned int *num)
{
char *p, **ret;
+ if (len && strings[len - 1]) {
+ pr_err_once("malformed XS_DIRECTORY reply\n");
+ kfree(strings);
+ return ERR_PTR(-EIO);
+ }
+
/* Count the strings. */
*num = count_strings(strings, len);