From cbbef43bdc083892a2d4787245c249502c215bb8 Mon Sep 17 00:00:00 2001 From: Yousef Alhouseen Date: Sat, 27 Jun 2026 00:37:38 +0200 Subject: xenbus: reject unterminated directory replies split_strings() walks each directory entry with strlen(). Although the transport adds a terminator after the reply buffer, a malformed reply without a final NUL inside its advertised length would let that walk cross the protocol payload boundary. Reject such replies before counting the strings. Report the protocol violation once and return -EIO to the caller. Signed-off-by: Yousef Alhouseen Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Message-ID: <20260626223738.43742-1-alhouseenyousef@gmail.com> --- drivers/xen/xenbus/xenbus_xs.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers') diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c index c202e7c553a6..d1cca4acb6f3 100644 --- a/drivers/xen/xenbus/xenbus_xs.c +++ b/drivers/xen/xenbus/xenbus_xs.c @@ -417,6 +417,12 @@ static char **split_strings(char *strings, unsigned int len, unsigned int *num) { char *p, **ret; + if (len && strings[len - 1]) { + pr_err_once("malformed XS_DIRECTORY reply\n"); + kfree(strings); + return ERR_PTR(-EIO); + } + /* Count the strings. */ *num = count_strings(strings, len); -- cgit v1.2.3