@@ -163,18 +163,17 @@ let get_children_watches con path =
let is_dom0 con =
Perms.Connection.is_dom0 (get_perm con)
-let add_watch con path token =
+let add_watch con (path, apath) token =
if !Quota.activate && !Define.maxwatch > 0 &&
not (is_dom0 con) && con.nb_watches > !Define.maxwatch then
raise Quota.Limit_reached;
- let apath = get_watch_path con path in
let l = get_watches con apath in
if List.exists (fun w -> w.token = token) l then
raise Define.Already_exist;
let watch = watch_create ~con ~token ~path in
Hashtbl.replace con.watches apath (watch :: l);
con.nb_watches <- con.nb_watches + 1;
- apath, watch
+ watch
let del_watch con path token =
let apath = get_watch_path con path in
@@ -114,8 +114,10 @@ let key_of_path path =
"" :: Store.Path.to_string_list path
let add_watch cons con path token =
- let apath, watch = Connection.add_watch con path token in
+ let apath = Connection.get_watch_path con path in
+ (* fail on invalid paths early by calling key_of_str before adding watch *)
let key = key_of_str apath in
+ let watch = Connection.add_watch con (path, apath) token in
let watches =
if Trie.mem cons.watches key
then Trie.find cons.watches key
Watches on invalid paths were accepted, but they would never trigger. The client also got no notification that its watch is bad and would never trigger. Found again by the structured fuzzer, due to an error on live update reload: the invalid watch paths would get rejected during live update and the list of watches would be different pre/post live update. This was found by an older version of the fuzzer: ``` Test live-update failed (507 shrink steps): [NEW; (0, None, WATCH ([""; ""], "")); (0, None, CONTROL live-update ())] ``` The testcase is watch on `//`, which is an invalid path. Signed-off-by: Edwin Török <edvin.torok@citrix.com> --- tools/ocaml/xenstored/connection.ml | 5 ++--- tools/ocaml/xenstored/connections.ml | 4 +++- 2 files changed, 5 insertions(+), 4 deletions(-)