fuse: Fix boundary check of buffer size and header

From fuse/dev.c in Linux kernel[1], max_write should not include the headers. Without this fix, the buffer returned by the FUSE device comes with a header that fails this check. [1] https://elixir.bootlin.com/linux/v5.11-rc7/source/fs/fuse/dev.c#L1220 BUG=chromium:1176310 TEST=large write succeeds after applying this fix Change-Id: I321c27a0ca005de6a021bdf044b7d859b57f1cfa Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2685219 Tested-by: Victor Hsieh <victorhsieh@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Chirantan Ekbote <chirantan@chromium.org> Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
2024-11-25 05:03:05 +00:00 · 2021-02-09 11:34:45 -08:00 · 2021-02-09 11:34:45 -08:00 · 451ee23a67
commit 451ee23a67
parent c664ea24d5
1 changed files with 3 additions and 1 deletions
--- a/fuse/src/server.rs
+++ b/fuse/src/server.rs
@ -115,7 +115,9 @@ impl<F: FileSystem + Sync> Server<F> {
        mapper: M,
    ) -> Result<usize> {
        let in_header = InHeader::from_reader(&mut r).map_err(Error::DecodeMessage)?;
-        if in_header.len > self.fs.max_buffer_size() {
+        if in_header.len
+            > size_of::<InHeader>() as u32 + size_of::<WriteIn>() as u32 + self.fs.max_buffer_size()
+        {
            return reply_error(
                io::Error::from_raw_os_error(libc::ENOMEM),
                in_header.unique,