From a69e5af841b7213bd64ceacbf3146a479328ff76 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Wed, 4 Jan 2012 09:34:49 +0000
Subject: [PATCH] --- yaml --- r: 282100 b: refs/heads/master c:
 9e7860cee18241633eddb36a4c34c7b61d8cecbc h: refs/heads/master v: v3

---
 [refs]                                   | 2 +-
 trunk/drivers/xen/xenbus/xenbus_xs.c     | 6 ++++++
 trunk/include/xen/interface/io/xs_wire.h | 3 +++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 27fa339b13e8..30c7a3a4affb 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 73db144b58a32fc39733db6a7e1fe582072ad26a
+refs/heads/master: 9e7860cee18241633eddb36a4c34c7b61d8cecbc
diff --git a/trunk/drivers/xen/xenbus/xenbus_xs.c b/trunk/drivers/xen/xenbus/xenbus_xs.c
index b3b8f2f3ad10..6f0121e3be69 100644
--- a/trunk/drivers/xen/xenbus/xenbus_xs.c
+++ b/trunk/drivers/xen/xenbus/xenbus_xs.c
@@ -810,6 +810,12 @@ static int process_msg(void)
 		goto out;
 	}
 
+	if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
+		kfree(msg);
+		err = -EINVAL;
+		goto out;
+	}
+
 	body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
 	if (body == NULL) {
 		kfree(msg);
diff --git a/trunk/include/xen/interface/io/xs_wire.h b/trunk/include/xen/interface/io/xs_wire.h
index f0b6890370be..3c1877caaefc 100644
--- a/trunk/include/xen/interface/io/xs_wire.h
+++ b/trunk/include/xen/interface/io/xs_wire.h
@@ -88,4 +88,7 @@ struct xenstore_domain_interface {
     XENSTORE_RING_IDX rsp_cons, rsp_prod;
 };
 
+/* Violating this is very bad.  See docs/misc/xenstore.txt. */
+#define XENSTORE_PAYLOAD_MAX 4096
+
 #endif /* _XS_WIRE_H */