diff options
| -rw-r--r-- | lib/private.h | 6 | ||||
| -rw-r--r-- | lib/tran_pipe.c | 2 | ||||
| -rw-r--r-- | lib/tran_sock.c | 2 |
3 files changed, 8 insertions, 2 deletions
diff --git a/lib/private.h b/lib/private.h index e3d97b3..b89df8b 100644 --- a/lib/private.h +++ b/lib/private.h @@ -62,6 +62,12 @@ sizeof(struct vfio_user_region_access)) /* + * Maximum value we are prepared to accept in hdr->error_no. Somewhat arbitrary + * value low enough to avoid any signed conversion issues. + */ +#define SERVER_MAX_ERROR_NO (4096) + +/* * Structure used to hold an in-flight request+reply. * * Incoming request body and fds are stored in in.*. diff --git a/lib/tran_pipe.c b/lib/tran_pipe.c index 4c3dc9c..48d8ea4 100644 --- a/lib/tran_pipe.c +++ b/lib/tran_pipe.c @@ -137,7 +137,7 @@ tran_pipe_recv(int fd, struct vfio_user_header *hdr, bool is_reply, } if (hdr->flags & VFIO_USER_F_ERROR) { - if (hdr->error_no <= 0) { + if (hdr->error_no <= 0 || hdr->error_no > SERVER_MAX_ERROR_NO) { hdr->error_no = EINVAL; } return ERROR_INT(hdr->error_no); diff --git a/lib/tran_sock.c b/lib/tran_sock.c index 024e5b0..5f144b2 100644 --- a/lib/tran_sock.c +++ b/lib/tran_sock.c @@ -217,7 +217,7 @@ tran_sock_recv_fds(int sock, struct vfio_user_header *hdr, bool is_reply, } if (hdr->flags & VFIO_USER_F_ERROR) { - if (hdr->error_no <= 0) { + if (hdr->error_no <= 0 || hdr->error_no > SERVER_MAX_ERROR_NO) { hdr->error_no = EINVAL; } return ERROR_INT(hdr->error_no); |