calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f2ed388e4b'
${ noResults }
gentoo-overlay/app-emulation/xen-tools/files/xen-4-CVE-2013-0215-XSA-38....

74 lines
2.5 KiB
Raw Blame History

diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml
index 3558889..d4d1c7b 100644
--- a/tools/ocaml/libs/xb/partial.ml
+++ b/tools/ocaml/libs/xb/partial.ml
@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size"
external header_of_string_internal: string -> int * int * int * int
= "stub_header_of_string"
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
let of_string s =
let tid, rid, opint, dlen = header_of_string_internal s in
+ (* A packet which is bigger than xenstore_payload_max is illegal.
+ This will leave the guest connection is a bad state and will
+ be hard to recover from without restarting the connection
+ (ie rebooting the guest) *)
+ let dlen = min xenstore_payload_max dlen in
{
tid = tid;
rid = rid;
@@ -38,6 +45,7 @@ let of_string s =
}
let append pkt s sz =
+ if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
Buffer.add_string pkt.buf (String.sub s 0 sz)
let to_complete pkt =
diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c
index 00414c5..4888ac5 100644
--- a/tools/ocaml/libs/xb/xs_ring_stubs.c
+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c
@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface,
char *buffer, int len)
{
struct xenstore_domain_interface *intf = interface->addr;
- XENSTORE_RING_IDX cons, prod;
+ XENSTORE_RING_IDX cons, prod; /* offsets only */
int to_read;
- cons = intf->req_cons;
- prod = intf->req_prod;
+ cons = *(volatile uint32*)&intf->req_cons;
+ prod = *(volatile uint32*)&intf->req_prod;
xen_mb();
+ cons = MASK_XENSTORE_IDX(cons);
+ prod = MASK_XENSTORE_IDX(prod);
if (prod == cons)
return 0;
- if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons))
+ if (prod > cons)
to_read = prod - cons;
else
- to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons);
+ to_read = XENSTORE_RING_SIZE - cons;
if (to_read < len)
len = to_read;
- memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len);
+ memcpy(buffer, intf->req + cons, len);
xen_mb();
intf->req_cons += len;
return len;
@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface,
XENSTORE_RING_IDX cons, prod;
int can_write;
- cons = intf->rsp_cons;
- prod = intf->rsp_prod;
+ cons = *(volatile uint32*)&intf->rsp_cons;
+ prod = *(volatile uint32*)&intf->rsp_prod;
xen_mb();
if ( (prod - cons) >= XENSTORE_RING_SIZE )
return 0;
Reference in new issue View Git Blame Copy Permalink