| Message ID | 1490259133-44411-1-git-send-email-liqiang6-s@360.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, 23 Mar 2017 01:52:13 -0700 Li Qiang <liq3ea@gmail.com> wrote: > In v9fs_create/lcreate dispatch handler, the fidp's fid_type is not checked > before used. As these function will set the fid_type, if the guest call > more than once them, it will leak the fidp. This can cause some other Not leak the fidp but rather a file descriptor or directory handle... > issue, such as memory leak. Check the fid_type before using them. > or memory previously allocated for an extended attribute. I'll fix the changelog before pushing the fix. Thanks, -- Greg > Signed-off-by: Li Qiang <liqiang6-s@360.cn> > --- > hw/9pfs/9p.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c > index b8c0b99..48babce 100644 > --- a/hw/9pfs/9p.c > +++ b/hw/9pfs/9p.c > @@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque) > err = -ENOENT; > goto out_nofid; > } > + if (fidp->fid_type != P9_FID_NONE) { > + err = -EINVAL; > + goto out; > + } > > flags = get_dotl_openflags(pdu->s, flags); > err = v9fs_co_open2(pdu, fidp, &name, gid, > @@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque) > err = -EINVAL; > goto out_nofid; > } > + if (fidp->fid_type != P9_FID_NONE) { > + err = -EINVAL; > + goto out; > + } > if (perm & P9_STAT_MODE_DIR) { > err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, > fidp->uid, -1, &stbuf);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index b8c0b99..48babce 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque) err = -ENOENT; goto out_nofid; } + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } flags = get_dotl_openflags(pdu->s, flags); err = v9fs_co_open2(pdu, fidp, &name, gid, @@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque) err = -EINVAL; goto out_nofid; } + if (fidp->fid_type != P9_FID_NONE) { + err = -EINVAL; + goto out; + } if (perm & P9_STAT_MODE_DIR) { err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, fidp->uid, -1, &stbuf);
In v9fs_create/lcreate dispatch handler, the fidp's fid_type is not checked before used. As these function will set the fid_type, if the guest call more than once them, it will leak the fidp. This can cause some other issue, such as memory leak. Check the fid_type before using them. Signed-off-by: Li Qiang <liqiang6-s@360.cn> --- hw/9pfs/9p.c | 8 ++++++++ 1 file changed, 8 insertions(+)