xen: xenbus_dev_frontend: Really return response string

xenbus_command_reply() did not actually copy the response string and leaked stack content instead. Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
author: Simon Gaiser <simon@invisiblethingslab.com> 2018-03-14 23:08:03 -0400
committer: Boris Ostrovsky <boris.ostrovsky@oracle.com> 2018-04-17 08:29:08 -0400
commit: ebf04f331fa15a966262341a7dc6b1a0efd633e4 (patch)
tree: 920378e5359706325831631f4df34b945c13c1bb
parent: cd6e992b3aab072cc90839508aaf5573c8f7e066 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 0d6d9264d6a9..c3e201025ef0 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u,
 {
        struct {
                struct xsd_sockmsg hdr;
-                const char body[16];
+                char body[16];
        } msg;
        int rc;
@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u,
        msg.hdr.len = strlen(reply) + 1;
        if (msg.hdr.len > sizeof(msg.body))
                return -E2BIG;
+        memcpy(&msg.body, reply, msg.hdr.len);
        mutex_lock(&u->reply_mutex);
        rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len);
author	Simon Gaiser <simon@invisiblethingslab.com>	2018-03-14 23:08:03 -0400
committer	Boris Ostrovsky <boris.ostrovsky@oracle.com>	2018-04-17 08:29:08 -0400
commit	ebf04f331fa15a966262341a7dc6b1a0efd633e4 (patch)
tree	920378e5359706325831631f4df34b945c13c1bb
parent	cd6e992b3aab072cc90839508aaf5573c8f7e066 (diff)