summaryrefslogtreecommitdiff
path: root/drivers/xen/xenbus/xenbus_dev_frontend.c
diff options
context:
space:
mode:
authorSimon Gaiser <simon@invisiblethingslab.com>2018-03-15 05:43:22 +0300
committerBoris Ostrovsky <boris.ostrovsky@oracle.com>2018-03-21 15:28:53 +0300
commit8fe5ab411209ac6e2c7021131e622fd004506d1a (patch)
treea0bc74504940ebc1b28da3c873beeb8785ddb5bd /drivers/xen/xenbus/xenbus_dev_frontend.c
parentb93008d1ac657dc67819330c5995e65e7c3e7978 (diff)
downloadlinux-8fe5ab411209ac6e2c7021131e622fd004506d1a.tar.xz
xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
By guaranteeing that the argument of XS_TRANSACTION_END is valid we can assume that the transaction has been closed when we get an XS_ERROR response from xenstore (Note that we already verify that it's a valid transaction id). Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Diffstat (limited to 'drivers/xen/xenbus/xenbus_dev_frontend.c')
-rw-r--r--drivers/xen/xenbus/xenbus_dev_frontend.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 81a84b3c1c50..0d6d9264d6a9 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -429,6 +429,10 @@ static int xenbus_write_transaction(unsigned msg_type,
{
int rc;
struct xenbus_transaction_holder *trans = NULL;
+ struct {
+ struct xsd_sockmsg hdr;
+ char body[];
+ } *msg = (void *)u->u.buffer;
if (msg_type == XS_TRANSACTION_START) {
trans = kzalloc(sizeof(*trans), GFP_KERNEL);
@@ -437,11 +441,15 @@ static int xenbus_write_transaction(unsigned msg_type,
goto out;
}
list_add(&trans->list, &u->transactions);
- } else if (u->u.msg.tx_id != 0 &&
- !xenbus_get_transaction(u, u->u.msg.tx_id))
+ } else if (msg->hdr.tx_id != 0 &&
+ !xenbus_get_transaction(u, msg->hdr.tx_id))
return xenbus_command_reply(u, XS_ERROR, "ENOENT");
+ else if (msg_type == XS_TRANSACTION_END &&
+ !(msg->hdr.len == 2 &&
+ (!strcmp(msg->body, "T") || !strcmp(msg->body, "F"))))
+ return xenbus_command_reply(u, XS_ERROR, "EINVAL");
- rc = xenbus_dev_request_and_reply(&u->u.msg, u);
+ rc = xenbus_dev_request_and_reply(&msg->hdr, u);
if (rc && trans) {
list_del(&trans->list);
kfree(trans);