From 577b7eb2dfc1939846ec97d8451f152ee456cd63 Mon Sep 17 00:00:00 2001
From: "VMware, Inc" <>
Date: Wed, 21 Dec 2011 16:32:42 -0800
Subject: [PATCH] Fix a security issue in HGFS server.

When a packet is received by the HGFS server, all sanity tests related to
the header size and packet sizes should be done first before doing any
other tests. Moved the header and packet size checks to the beginning of
the validation process.

Signed-off-by: Marcelo Vanzin <mvanzin@vmware.com>
---
 .../lib/hgfsServer/hgfsServerParameters.c       | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c b/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
index b5faa16b1..546732afd 100644
--- a/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
+++ b/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
@@ -331,20 +331,24 @@ HgfsParseRequest(HgfsPacket *packet,         // IN: request packet
       HgfsHeader *header = (HgfsHeader *)request;
       localInput->v4header = TRUE;
       localInput->id = header->requestId;
+      localInput->op = header->op;
 
       if (packetSize >= offsetof(HgfsHeader, sessionId) + sizeof header->sessionId) {
-         if (header->op != HGFS_OP_CREATE_SESSION_V4) {
+         if (packetSize < header->packetSize ||
+            header->packetSize < header->headerSize) {
+            LOG(4, ("%s: Malformed HGFS packet received - inconsistent header"
+               " and packet sizes!\n", __FUNCTION__));
+            result = HGFS_ERROR_PROTOCOL;
+         }
+
+         if ((HGFS_ERROR_SUCCESS == result) &&
+             (header->op != HGFS_OP_CREATE_SESSION_V4)) {
             session = HgfsServerTransportGetSessionInfo(transportSession,
                                                         header->sessionId);
             if (!session || session->state != HGFS_SESSION_STATE_OPEN) {
                LOG(4, ("%s: HGFS packet with invalid session id!\n", __FUNCTION__));
                result = HGFS_ERROR_STALE_SESSION;
             }
-         } else if (packetSize < header->packetSize ||
-            header->packetSize < header->headerSize) {
-            LOG(4, ("%s: Malformed HGFS packet received - inconsistent header"
-               " and packet sizes!\n", __FUNCTION__));
-            result = HGFS_ERROR_PROTOCOL;
          }
       } else {
          LOG(4, ("%s: Malformed HGFS packet received - header is too small!\n",
@@ -353,7 +357,6 @@ HgfsParseRequest(HgfsPacket *packet,         // IN: request packet
       }
 
       if (HGFS_ERROR_SUCCESS == result) { // Passed all tests
-         localInput->op = header->op;
          localInput->payload = (char *)request + header->headerSize;
          localInput->payloadSize = header->packetSize - header->headerSize;
       }
-- 
2.47.3