On Friday, 29 May 2026 18:30:38 CEST Christian Schoenebeck wrote: > This series fixes a guest-triggerable assertion fault (DoS) caused by > sending an illegal new name with the legacy Twstat rename handler. > > - Patch 1: This is the core fix that prevents the DoS vulnerability. > > - Patch 2: Additionally rejects "." and ".." as new names with Twstat > rename operations (not being a vulnerability though). > > - Patch 3: Consolidates the name validation logic spread multiple > times over multiple request handlers. > > Christian Schoenebeck (3): > hw/9pfs: fix abort due to illegal name with Twstat rename > hw/9pfs: reject . and .. in Twstat rename > hw/9pfs: consolidate name validation with check_name() > > hw/9pfs/9p.c | 97 +++++++++++++++++++++++----------------------------- > 1 file changed, 42 insertions(+), 55 deletions(-)
Queued on 9p.next: https://github.com/cschoenebeck/qemu/commits/9p.next Thanks! /Christian
