diff options
author | Dominique Martinet <asmadeus@codewreck.org> | 2022-11-22 01:06:56 +0100 |
---|---|---|
committer | Dominique Martinet <asmadeus@codewreck.org> | 2022-12-02 16:04:37 +0100 |
commit | f15e006b831384aaec4b4f13265c0dff88ef09dd (patch) | |
tree | f0aad1fb29528093cdfd2281ca3072a9b35c192c | |
parent | 9p: set req refcount to zero to avoid uninitialized usage (diff) | |
download | linux-f15e006b831384aaec4b4f13265c0dff88ef09dd.tar.xz linux-f15e006b831384aaec4b4f13265c0dff88ef09dd.zip |
9p/xen: do not memcpy header into req->rc
while 'h' is packed and can be assumed to match the request payload,
req->rc is a struct p9_fcall which is not packed and that memcpy
could be wrong.
Fix this by copying each fields individually instead.
Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Suggested-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop
Link: https://lkml.kernel.org/r/20221122001025.119121-1-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
-rw-r--r-- | net/9p/trans_xen.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c index aaa5fd364691..de2d2ca8819a 100644 --- a/net/9p/trans_xen.c +++ b/net/9p/trans_xen.c @@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work) goto recv_error; } - memcpy(&req->rc, &h, sizeof(h)); + req->rc.size = h.size; + req->rc.id = h.id; + req->rc.tag = h.tag; req->rc.offset = 0; masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring)); |