From: Stefan Hajnoczi <stefanha@redhat.com>

Date: Mon, 27 Jan 2020 19:01:23 +0000

Subject: [PATCH] virtiofsd: check input buffer size in fuse_lowlevel.c ops

Each FUSE operation involves parsing the input buffer.  Currently the

code assumes the input buffer is large enough for the expected

arguments.  This patch uses fuse_mbuf_iter to check the size.

Most operations are simple to convert.  Some are more complicated due to

variable-length inputs or different sizes depending on the protocol

version.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Reviewed-by: Sergio Lopez <slp@redhat.com>

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

(cherry picked from commit 70995754416eb4491c31607fe380a83cfd25a087)

---

 tools/virtiofsd/fuse_lowlevel.c | 581 +++++++++++++++++++++++++-------

 1 file changed, 456 insertions(+), 125 deletions(-)

diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c

index 611e8b0354..02e1d83038 100644

--- a/tools/virtiofsd/fuse_lowlevel.c

+++ b/tools/virtiofsd/fuse_lowlevel.c

@@ -19,6 +19,7 @@

 #include <assert.h>

 #include <errno.h>

 #include <limits.h>

+#include <stdbool.h>

 #include <stddef.h>

 #include <stdio.h>

 #include <stdlib.h>

@@ -27,7 +28,6 @@

 #include <unistd.h>

-#define PARAM(inarg) (((char *)(inarg)) + sizeof(*(inarg)))

 #define OFFSET_MAX 0x7fffffffffffffffLL

 struct fuse_pollhandle {

@@ -706,9 +706,14 @@ int fuse_reply_lseek(fuse_req_t req, off_t off)

     return send_reply_ok(req, &arg, sizeof(arg));

 }

-static void do_lookup(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_lookup(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    char *name = (char *)inarg;

+    const char *name = fuse_mbuf_iter_advance_str(iter);

+    if (!name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.lookup) {

         req->se->op.lookup(req, nodeid, name);

@@ -717,9 +722,16 @@ static void do_lookup(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_forget(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_forget(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    struct fuse_forget_in *arg = (struct fuse_forget_in *)inarg;

+    struct fuse_forget_in *arg;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.forget) {

         req->se->op.forget(req, nodeid, arg->nlookup);

@@ -729,20 +741,48 @@ static void do_forget(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

 }

 static void do_batch_forget(fuse_req_t req, fuse_ino_t nodeid,

-                            const void *inarg)

+                            struct fuse_mbuf_iter *iter)

 {

-    struct fuse_batch_forget_in *arg = (void *)inarg;

-    struct fuse_forget_one *param = (void *)PARAM(arg);

-    unsigned int i;

+    struct fuse_batch_forget_in *arg;

+    struct fuse_forget_data *forgets;

+    size_t scount;

     (void)nodeid;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_none(req);

+        return;

+    }

+

+    /*

+     * Prevent integer overflow.  The compiler emits the following warning

+     * unless we use the scount local variable:

+     *

+     * error: comparison is always false due to limited range of data type

+     * [-Werror=type-limits]

+     *

+     * This may be true on 64-bit hosts but we need this check for 32-bit

+     * hosts.

+     */

+    scount = arg->count;

+    if (scount > SIZE_MAX / sizeof(forgets[0])) {

+        fuse_reply_none(req);

+        return;

+    }

+

+    forgets = fuse_mbuf_iter_advance(iter, arg->count * sizeof(forgets[0]));

+    if (!forgets) {

+        fuse_reply_none(req);

+        return;

+    }

+

     if (req->se->op.forget_multi) {

-        req->se->op.forget_multi(req, arg->count,

-                                 (struct fuse_forget_data *)param);

+        req->se->op.forget_multi(req, arg->count, forgets);

     } else if (req->se->op.forget) {

+        unsigned int i;

+

         for (i = 0; i < arg->count; i++) {

-            struct fuse_forget_one *forget = &param[i];

             struct fuse_req *dummy_req;

             dummy_req = fuse_ll_alloc_req(req->se);

@@ -754,7 +794,7 @@ static void do_batch_forget(fuse_req_t req, fuse_ino_t nodeid,

             dummy_req->ctx = req->ctx;

             dummy_req->ch = NULL;

-            req->se->op.forget(dummy_req, forget->nodeid, forget->nlookup);

+            req->se->op.forget(dummy_req, forgets[i].ino, forgets[i].nlookup);

         }

         fuse_reply_none(req);

     } else {

@@ -762,12 +802,19 @@ static void do_batch_forget(fuse_req_t req, fuse_ino_t nodeid,

     }

 }

-static void do_getattr(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_getattr(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

     struct fuse_file_info *fip = NULL;

     struct fuse_file_info fi;

-    struct fuse_getattr_in *arg = (struct fuse_getattr_in *)inarg;

+    struct fuse_getattr_in *arg;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (arg->getattr_flags & FUSE_GETATTR_FH) {

         memset(&fi, 0, sizeof(fi));

@@ -782,14 +829,21 @@ static void do_getattr(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_setattr(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_setattr(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    struct fuse_setattr_in *arg = (struct fuse_setattr_in *)inarg;

-

     if (req->se->op.setattr) {

+        struct fuse_setattr_in *arg;

         struct fuse_file_info *fi = NULL;

         struct fuse_file_info fi_store;

         struct stat stbuf;

+

+        arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+        if (!arg) {

+            fuse_reply_err(req, EINVAL);

+            return;

+        }

+

         memset(&stbuf, 0, sizeof(stbuf));

         convert_attr(arg, &stbuf);

         if (arg->valid & FATTR_FH) {

@@ -810,9 +864,16 @@ static void do_setattr(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_access(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_access(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    struct fuse_access_in *arg = (struct fuse_access_in *)inarg;

+    struct fuse_access_in *arg;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.access) {

         req->se->op.access(req, nodeid, arg->mask);

@@ -821,9 +882,10 @@ static void do_access(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_readlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_readlink(fuse_req_t req, fuse_ino_t nodeid,

+                        struct fuse_mbuf_iter *iter)

 {

-    (void)inarg;

+    (void)iter;

     if (req->se->op.readlink) {

         req->se->op.readlink(req, nodeid);

@@ -832,10 +894,18 @@ static void do_readlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_mknod(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_mknod(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    struct fuse_mknod_in *arg = (struct fuse_mknod_in *)inarg;

-    char *name = PARAM(arg);

+    struct fuse_mknod_in *arg;

+    const char *name;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    name = fuse_mbuf_iter_advance_str(iter);

+    if (!arg || !name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     req->ctx.umask = arg->umask;

@@ -846,22 +916,37 @@ static void do_mknod(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_mkdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_mkdir(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    struct fuse_mkdir_in *arg = (struct fuse_mkdir_in *)inarg;

+    struct fuse_mkdir_in *arg;

+    const char *name;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    name = fuse_mbuf_iter_advance_str(iter);

+    if (!arg || !name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     req->ctx.umask = arg->umask;

     if (req->se->op.mkdir) {

-        req->se->op.mkdir(req, nodeid, PARAM(arg), arg->mode);

+        req->se->op.mkdir(req, nodeid, name, arg->mode);

     } else {

         fuse_reply_err(req, ENOSYS);

     }

 }

-static void do_unlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_unlink(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    char *name = (char *)inarg;

+    const char *name = fuse_mbuf_iter_advance_str(iter);

+

+    if (!name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.unlink) {

         req->se->op.unlink(req, nodeid, name);

@@ -870,9 +955,15 @@ static void do_unlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_rmdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_rmdir(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    char *name = (char *)inarg;

+    const char *name = fuse_mbuf_iter_advance_str(iter);

+

+    if (!name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.rmdir) {

         req->se->op.rmdir(req, nodeid, name);

@@ -881,10 +972,16 @@ static void do_rmdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_symlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_symlink(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    char *name = (char *)inarg;

-    char *linkname = ((char *)inarg) + strlen((char *)inarg) + 1;

+    const char *name = fuse_mbuf_iter_advance_str(iter);

+    const char *linkname = fuse_mbuf_iter_advance_str(iter);

+

+    if (!name || !linkname) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.symlink) {

         req->se->op.symlink(req, linkname, nodeid, name);

@@ -893,11 +990,20 @@ static void do_symlink(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_rename(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_rename(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    struct fuse_rename_in *arg = (struct fuse_rename_in *)inarg;

-    char *oldname = PARAM(arg);

-    char *newname = oldname + strlen(oldname) + 1;

+    struct fuse_rename_in *arg;

+    const char *oldname;

+    const char *newname;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    oldname = fuse_mbuf_iter_advance_str(iter);

+    newname = fuse_mbuf_iter_advance_str(iter);

+    if (!arg || !oldname || !newname) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.rename) {

         req->se->op.rename(req, nodeid, oldname, arg->newdir, newname, 0);

@@ -906,11 +1012,20 @@ static void do_rename(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_rename2(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_rename2(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    struct fuse_rename2_in *arg = (struct fuse_rename2_in *)inarg;

-    char *oldname = PARAM(arg);

-    char *newname = oldname + strlen(oldname) + 1;

+    struct fuse_rename2_in *arg;

+    const char *oldname;

+    const char *newname;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    oldname = fuse_mbuf_iter_advance_str(iter);

+    newname = fuse_mbuf_iter_advance_str(iter);

+    if (!arg || !oldname || !newname) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.rename) {

         req->se->op.rename(req, nodeid, oldname, arg->newdir, newname,

@@ -920,24 +1035,38 @@ static void do_rename2(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_link(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_link(fuse_req_t req, fuse_ino_t nodeid,

+                    struct fuse_mbuf_iter *iter)

 {

-    struct fuse_link_in *arg = (struct fuse_link_in *)inarg;

+    struct fuse_link_in *arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    const char *name = fuse_mbuf_iter_advance_str(iter);

+

+    if (!arg || !name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.link) {

-        req->se->op.link(req, arg->oldnodeid, nodeid, PARAM(arg));

+        req->se->op.link(req, arg->oldnodeid, nodeid, name);

     } else {

         fuse_reply_err(req, ENOSYS);

     }

 }

-static void do_create(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_create(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

-    struct fuse_create_in *arg = (struct fuse_create_in *)inarg;

-

     if (req->se->op.create) {

+        struct fuse_create_in *arg;

         struct fuse_file_info fi;

-        char *name = PARAM(arg);

+        const char *name;

+

+        arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+        name = fuse_mbuf_iter_advance_str(iter);

+        if (!arg || !name) {

+            fuse_reply_err(req, EINVAL);

+            return;

+        }

         memset(&fi, 0, sizeof(fi));

         fi.flags = arg->flags;

@@ -950,11 +1079,18 @@ static void do_create(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_open(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_open(fuse_req_t req, fuse_ino_t nodeid,

+                    struct fuse_mbuf_iter *iter)

 {

-    struct fuse_open_in *arg = (struct fuse_open_in *)inarg;

+    struct fuse_open_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.flags = arg->flags;

@@ -965,13 +1101,15 @@ static void do_open(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_read(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_read(fuse_req_t req, fuse_ino_t nodeid,

+                    struct fuse_mbuf_iter *iter)

 {

-    struct fuse_read_in *arg = (struct fuse_read_in *)inarg;

-

     if (req->se->op.read) {

+        struct fuse_read_in *arg;

         struct fuse_file_info fi;

+        arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+

         memset(&fi, 0, sizeof(fi));

         fi.fh = arg->fh;

         fi.lock_owner = arg->lock_owner;

@@ -982,11 +1120,24 @@ static void do_read(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_write(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_write(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    struct fuse_write_in *arg = (struct fuse_write_in *)inarg;

+    struct fuse_write_in *arg;

     struct fuse_file_info fi;

-    char *param;

+    const char *param;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

+    param = fuse_mbuf_iter_advance(iter, arg->size);

+    if (!param) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

@@ -994,7 +1145,6 @@ static void do_write(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     fi.lock_owner = arg->lock_owner;

     fi.flags = arg->flags;

-    param = PARAM(arg);

     if (req->se->op.write) {

         req->se->op.write(req, nodeid, param, arg->size, arg->offset, &fi);

@@ -1052,11 +1202,18 @@ static void do_write_buf(fuse_req_t req, fuse_ino_t nodeid,

     se->op.write_buf(req, nodeid, pbufv, arg->offset, &fi);

 }

-static void do_flush(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_flush(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    struct fuse_flush_in *arg = (struct fuse_flush_in *)inarg;

+    struct fuse_flush_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

     fi.flush = 1;

@@ -1069,19 +1226,26 @@ static void do_flush(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_release(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_release(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    struct fuse_release_in *arg = (struct fuse_release_in *)inarg;

+    struct fuse_release_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.flags = arg->flags;

     fi.fh = arg->fh;

     fi.flush = (arg->release_flags & FUSE_RELEASE_FLUSH) ? 1 : 0;

     fi.lock_owner = arg->lock_owner;

+

     if (arg->release_flags & FUSE_RELEASE_FLOCK_UNLOCK) {

         fi.flock_release = 1;

-        fi.lock_owner = arg->lock_owner;

     }

     if (req->se->op.release) {

@@ -1091,11 +1255,19 @@ static void do_release(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_fsync(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_fsync(fuse_req_t req, fuse_ino_t nodeid,

+                     struct fuse_mbuf_iter *iter)

 {

-    struct fuse_fsync_in *arg = (struct fuse_fsync_in *)inarg;

+    struct fuse_fsync_in *arg;

     struct fuse_file_info fi;

-    int datasync = arg->fsync_flags & 1;

+    int datasync;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+    datasync = arg->fsync_flags & 1;

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

@@ -1111,11 +1283,18 @@ static void do_fsync(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_opendir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_opendir(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    struct fuse_open_in *arg = (struct fuse_open_in *)inarg;

+    struct fuse_open_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.flags = arg->flags;

@@ -1126,11 +1305,18 @@ static void do_opendir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_readdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_readdir(fuse_req_t req, fuse_ino_t nodeid,

+                       struct fuse_mbuf_iter *iter)

 {

-    struct fuse_read_in *arg = (struct fuse_read_in *)inarg;

+    struct fuse_read_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

@@ -1141,11 +1327,18 @@ static void do_readdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_readdirplus(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_readdirplus(fuse_req_t req, fuse_ino_t nodeid,

+                           struct fuse_mbuf_iter *iter)

 {

-    struct fuse_read_in *arg = (struct fuse_read_in *)inarg;

+    struct fuse_read_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

@@ -1156,11 +1349,18 @@ static void do_readdirplus(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_releasedir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_releasedir(fuse_req_t req, fuse_ino_t nodeid,

+                          struct fuse_mbuf_iter *iter)

 {

-    struct fuse_release_in *arg = (struct fuse_release_in *)inarg;

+    struct fuse_release_in *arg;

     struct fuse_file_info fi;

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

     memset(&fi, 0, sizeof(fi));

     fi.flags = arg->flags;

     fi.fh = arg->fh;

@@ -1172,11 +1372,19 @@ static void do_releasedir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_fsyncdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_fsyncdir(fuse_req_t req, fuse_ino_t nodeid,

+                        struct fuse_mbuf_iter *iter)

 {

-    struct fuse_fsync_in *arg = (struct fuse_fsync_in *)inarg;

+    struct fuse_fsync_in *arg;

     struct fuse_file_info fi;

-    int datasync = arg->fsync_flags & 1;

+    int datasync;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    if (!arg) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+    datasync = arg->fsync_flags & 1;

     memset(&fi, 0, sizeof(fi));

     fi.fh = arg->fh;

@@ -1188,10 +1396,11 @@ static void do_fsyncdir(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_statfs(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_statfs(fuse_req_t req, fuse_ino_t nodeid,

+                      struct fuse_mbuf_iter *iter)

 {

     (void)nodeid;

-    (void)inarg;

+    (void)iter;

     if (req->se->op.statfs) {

         req->se->op.statfs(req, nodeid);

@@ -1204,11 +1413,25 @@ static void do_statfs(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

     }

 }

-static void do_setxattr(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)

+static void do_setxattr(fuse_req_t req, fuse_ino_t nodeid,

+                        struct fuse_mbuf_iter *iter)

 {

-    struct fuse_setxattr_in *arg = (struct fuse_setxattr_in *)inarg;

-    char *name = PARAM(arg);

-    char *value = name + strlen(name) + 1;

+    struct fuse_setxattr_in *arg;

+    const char *name;

+    const char *value;

+

+    arg = fuse_mbuf_iter_advance(iter, sizeof(*arg));

+    name = fuse_mbuf_iter_advance_str(iter);

+    if (!arg || !name) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

+

+    value = fuse_mbuf_iter_advance(iter, arg->size);

+    if (!value) {

+        fuse_reply_err(req, EINVAL);

+        return;

+    }

     if (req->se->op.setxattr) {

         req->se->op.setxattr(req, nodeid, name, value, arg->size, arg->flags);