The 9p spec at http://man.cat-v.org/plan_9/5/intro reads:
"Each 9P message begins with a four-byte size field specify-
ing the length in bytes of the complete message including
the four bytes of the size field itself. The next byte is
the message type, one of the constants in the enumeration in
the include file <fcall.h>. The next two bytes are an iden-
tifying tag, described below."
ie, each message starts with a 7-byte long header.
The core 9P code already assumes this pretty much everywhere. This patch
does the following:
- makes the assumption explicit in the common 9p.h header, since it isn't
related to the transport
- open codes the header size in handle_9p_output() and hardens the sanity
check on the space needed for the reply message
Signed-off-by: Greg Kurz <[email protected]>
Acked-by: Stefano Stabellini <[email protected]>
uint8_t id;
uint16_t tag_le;
} QEMU_PACKED P9MsgHeader;
+/* According to the specification, 9p messages start with a 7-byte header.
+ * Since most of the code uses this header size in literal form, we must be
+ * sure this is indeed the case.
+ */
+QEMU_BUILD_BUG_ON(sizeof(P9MsgHeader) != 7);
struct V9fsPDU
{
goto out_free_pdu;
}
- if (elem->in_num == 0) {
+ if (iov_size(elem->in_sg, elem->in_num) < 7) {
virtio_error(vdev,
"The guest sent a VirtFS request without space for "
"the reply");
goto out_free_req;
}
- QEMU_BUILD_BUG_ON(sizeof(out) != 7);
- len = iov_to_buf(elem->out_sg, elem->out_num, 0,
- &out, sizeof(out));
- if (len != sizeof(out)) {
+ len = iov_to_buf(elem->out_sg, elem->out_num, 0, &out, 7);
+ if (len != 7) {
virtio_error(vdev, "The guest sent a malformed VirtFS request: "
"header size is %zd, should be 7", len);
goto out_free_req;
projects / qemu.git / commitdiff