From patchwork Fri Aug 10 13:52:06 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Derr <simon.derr@bull.net>
X-Patchwork-Id: 1305841
Return-Path: <v9fs-developer-bounces@lists.sourceforge.net>
X-Original-To: patchwork-v9fs-devel@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88])
	by patchwork1.kernel.org (Postfix) with ESMTP id CBB443FC66
	for <patchwork-v9fs-devel@patchwork.kernel.org>;
	Fri, 10 Aug 2012 14:10:52 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <v9fs-developer-bounces@lists.sourceforge.net>)
	id 1SzpvO-0006pB-ES; Fri, 10 Aug 2012 14:10:50 +0000
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <derr@atlas.frec.bull.fr>) id 1SzpvM-0006p1-FN
	for v9fs-developer@lists.sourceforge.net;
	Fri, 10 Aug 2012 14:10:48 +0000
X-ACL-Warn: 
Received: from ecfrec.frec.bull.fr ([129.183.4.8])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1SzpvC-00043M-4P for v9fs-developer@lists.sourceforge.net;
	Fri, 10 Aug 2012 14:10:48 +0000
Received: from localhost (localhost [127.0.0.1])
	by ecfrec.frec.bull.fr (Postfix) with ESMTP
	id D368F19DCD5; Fri, 10 Aug 2012 15:52:32 +0200 (CEST)
Received: from ecfrec.frec.bull.fr ([127.0.0.1])
	by localhost (ecfrec.frec.bull.fr [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id 13549-09; Fri, 10 Aug 2012 15:52:25 +0200 (CEST)
Received: from atlas.frec.bull.fr (atlas.frec.bull.fr [129.183.91.13])
	by ecfrec.frec.bull.fr (Postfix) with ESMTP
	id 5204419DCD9; Fri, 10 Aug 2012 15:52:25 +0200 (CEST)
Received: by atlas.frec.bull.fr (Postfix, from userid 15269)
	id 4248F38003D; Fri, 10 Aug 2012 15:52:25 +0200 (CEST)
From: Simon Derr <simon.derr@bull.net>
To: v9fs-developer@lists.sourceforge.net
Date: Fri, 10 Aug 2012 15:52:06 +0200
Message-Id: <1344606726-28754-1-git-send-email-simon.derr@bull.net>
X-Mailer: git-send-email 1.7.10.1
X-Virus-Scanned: by amavisd-new at frec.bull.fr
X-Spam-Score: -0.0 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
X-Headers-End: 1SzpvC-00043M-4P
Cc: Simon Derr <simon.derr@bull.net>
Subject: [V9fs-developer] [PATCH] 9P : Check errno validity
X-BeenThere: v9fs-developer@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v9fs-developer.lists.sourceforge.net>
List-Unsubscribe: 
 <https://lists.sourceforge.net/lists/listinfo/v9fs-developer>,
	<mailto:v9fs-developer-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=v9fs-developer>
List-Post: <mailto:v9fs-developer@lists.sourceforge.net>
List-Help: <mailto:v9fs-developer-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/v9fs-developer>,
	<mailto:v9fs-developer-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: v9fs-developer-bounces@lists.sourceforge.net

Hi,

While working on a modified server I had the Linux clients crash
a few times. This lead me to find this:

Some error codes are directly extracted from the server replies.
A malformed server reply could contain an invalid error code, with a
very large value. If this value is then passed to ERR_PTR() it will
not be properly detected as an error code by IS_ERR() and as a result
the kernel will dereference an invalid pointer.

This patch tries to avoid this.

	Simon

Signed-off-by: Simon Derr <simon.derr@bull.net>
---
 net/9p/client.c |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index a170893..d066294 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -76,6 +76,20 @@ inline int p9_is_proto_dotu(struct p9_client *clnt)
 }
 EXPORT_SYMBOL(p9_is_proto_dotu);
 
+/*
+ * Some error codes are taken directly from the server replies,
+ * make sure they are valid.
+ */
+static int safe_errno(int err)
+{
+	if ((err > 0) || (err < -MAX_ERRNO)) {
+		p9_debug(P9_DEBUG_ERROR, "Invalid error code %d\n", err);
+		return -EINVAL;
+	}
+	return err;
+}
+
+
 /* Interpret mount option for protocol version */
 static int get_protocol_version(char *s)
 {
@@ -782,7 +796,7 @@ again:
 		return req;
 reterr:
 	p9_free_req(c, req);
-	return ERR_PTR(err);
+	return ERR_PTR(safe_errno(err));
 }
 
 /**
@@ -865,7 +879,7 @@ static struct p9_req_t *p9_client_zc_rpc(struct p9_client *c, int8_t type,
 		return req;
 reterr:
 	p9_free_req(c, req);
-	return ERR_PTR(err);
+	return ERR_PTR(safe_errno(err));
 }
 
 static struct p9_fid *p9_fid_create(struct p9_client *clnt)