File 0185-9pfs-make-pdu_-un-marshal-proper-fu.patch of Package qemu.12301
From 9bb81f4a7c060e5ffbbb4ff19094ca7f5cdb40ac Mon Sep 17 00:00:00 2001
From: Wei Liu <wei.liu2@citrix.com>
Date: Wed, 2 Dec 2015 14:22:04 +0000
Subject: [PATCH] 9pfs: make pdu_{,un}marshal proper functions
Factor out v9fs_iov_v{,un}marshal. Implement pdu_{,un}marshal with those
functions.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
(cherry picked from commit 0e2082d9e5aafbde9d1cf71159ce0123cd9fda05)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
fsdev/9p-iov-marshal.c | 42 ++++++++++++++++++++++++++++++------------
fsdev/9p-iov-marshal.h | 5 +++++
hw/9pfs/virtio-9p.c | 26 ++++++++++++++++++++++++++
hw/9pfs/virtio-9p.h | 6 ++----
4 files changed, 63 insertions(+), 16 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 894c164dd6..1f5dfc0a23 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -77,15 +77,13 @@ ssize_t v9fs_pack(struct iovec *in_sg, int in_num, size_t offset,
return v9fs_packunpack((void *)src, in_sg, in_num, offset, size, 1);
}
-ssize_t v9fs_iov_unmarshal(struct iovec *out_sg, int out_num, size_t offset,
- int bswap, const char *fmt, ...)
+ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ int bswap, const char *fmt, va_list ap)
{
int i;
- va_list ap;
ssize_t copied = 0;
size_t old_offset = offset;
- va_start(ap, fmt);
for (i = 0; fmt[i]; i++) {
switch (fmt[i]) {
case 'b': {
@@ -181,25 +179,34 @@ ssize_t v9fs_iov_unmarshal(struct iovec *out_sg, int out_num, size_t offset,
break;
}
if (copied < 0) {
- va_end(ap);
return copied;
}
offset += copied;
}
- va_end(ap);
return offset - old_offset;
}
-ssize_t v9fs_iov_marshal(struct iovec *in_sg, int in_num, size_t offset,
- int bswap, const char *fmt, ...)
+ssize_t v9fs_iov_unmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ int bswap, const char *fmt, ...)
{
- int i;
+ ssize_t ret;
va_list ap;
+
+ va_start(ap, fmt);
+ ret = v9fs_iov_vunmarshal(out_sg, out_num, offset, bswap, fmt, ap);
+ va_end(ap);
+
+ return ret;
+}
+
+ssize_t v9fs_iov_vmarshal(struct iovec *in_sg, int in_num, size_t offset,
+ int bswap, const char *fmt, va_list ap)
+{
+ int i;
ssize_t copied = 0;
size_t old_offset = offset;
- va_start(ap, fmt);
for (i = 0; fmt[i]; i++) {
switch (fmt[i]) {
case 'b': {
@@ -291,12 +298,23 @@ ssize_t v9fs_iov_marshal(struct iovec *in_sg, int in_num, size_t offset,
break;
}
if (copied < 0) {
- va_end(ap);
return copied;
}
offset += copied;
}
- va_end(ap);
return offset - old_offset;
}
+
+ssize_t v9fs_iov_marshal(struct iovec *in_sg, int in_num, size_t offset,
+ int bswap, const char *fmt, ...)
+{
+ ssize_t ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = v9fs_iov_vmarshal(in_sg, in_num, offset, bswap, fmt, ap);
+ va_end(ap);
+
+ return ret;
+}
diff --git a/fsdev/9p-iov-marshal.h b/fsdev/9p-iov-marshal.h
index 993614f544..6bccbfb41a 100644
--- a/fsdev/9p-iov-marshal.h
+++ b/fsdev/9p-iov-marshal.h
@@ -10,4 +10,9 @@ ssize_t v9fs_iov_unmarshal(struct iovec *out_sg, int out_num, size_t offset,
int bswap, const char *fmt, ...);
ssize_t v9fs_iov_marshal(struct iovec *in_sg, int in_num, size_t offset,
int bswap, const char *fmt, ...);
+
+ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ int bswap, const char *fmt, va_list ap);
+ssize_t v9fs_iov_vmarshal(struct iovec *in_sg, int in_num, size_t offset,
+ int bswap, const char *fmt, va_list ap);
#endif
diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
index 67b8db7011..4e02b552ab 100644
--- a/hw/9pfs/virtio-9p.c
+++ b/hw/9pfs/virtio-9p.c
@@ -37,6 +37,32 @@ enum {
Oappend = 0x80,
};
+ssize_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
+{
+ ssize_t ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = v9fs_iov_vmarshal(pdu->elem.in_sg, pdu->elem.in_num,
+ offset, 1, fmt, ap);
+ va_end(ap);
+
+ return ret;
+}
+
+ssize_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
+{
+ ssize_t ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = v9fs_iov_vunmarshal(pdu->elem.out_sg, pdu->elem.out_num,
+ offset, 1, fmt, ap);
+ va_end(ap);
+
+ return ret;
+}
+
static int omode_to_uflags(int8_t mode)
{
int ret = 0;
diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h
index 3a7e136ab6..d6f3ac08a7 100644
--- a/hw/9pfs/virtio-9p.h
+++ b/hw/9pfs/virtio-9p.h
@@ -320,10 +320,8 @@ extern void v9fs_path_copy(V9fsPath *lhs, V9fsPath *rhs);
extern int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath,
const char *name, V9fsPath *path);
-#define pdu_marshal(pdu, offset, fmt, args...) \
- v9fs_iov_marshal(pdu->elem.in_sg, pdu->elem.in_num, offset, 1, fmt, ##args)
-#define pdu_unmarshal(pdu, offset, fmt, args...) \
- v9fs_iov_unmarshal(pdu->elem.out_sg, pdu->elem.out_num, offset, 1, fmt, ##args)
+ssize_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...);
+ssize_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...);
#define TYPE_VIRTIO_9P "virtio-9p-device"
#define VIRTIO_9P(obj) \
