Add a new callback to the V9fsTransport interface that allows each transport to provide the real size of its current response buffer.
This is needed for subsequent safety guards that will limit generated responses appropriately before trying to allocate, generate, and send a response to guest. This is especially required for request handlers that need to allocate dynamic and potentially large host memory for generating a response. These safety guards are mandatory to counter bad clients that try to trick server by supplying response buffers being smaller than the previously negotiated msize value. Signed-off-by: Christian Schoenebeck <[email protected]> --- hw/9pfs/9p.h | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h index 14111e041a..1efe000f6f 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -482,6 +482,7 @@ struct V9fsTransport { unsigned int *pniov, size_t size); void (*push_and_notify)(V9fsPDU *pdu); size_t (*msize_limit)(V9fsState *s); + size_t (*response_buffer_size)(V9fsPDU *pdu); }; #endif -- 2.47.3
