lib9p: Remove potential buffer overwrite in l9p_puqids()

Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries and that number actually set the maximum we can safely use. PR: 265385 Reviewed by: markj MFC after: 1 day Differential Revision: https://reviews.freebsd.org/D35907
2022-08-08 12:25:48 -04:00 · 2022-08-08 12:25:48 -04:00 · 2dd83b3f05
commit 2dd83b3f05
parent 1b0a4974c5
1 changed files with 11 additions and 7 deletions
--- a/contrib/lib9p/pack.c
+++ b/contrib/lib9p/pack.c
@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
 	ssize_t ret, r;

 	r = l9p_pu16(msg, num);
-	if (r > 0) {
-		for (i = 0, lim = *num; i < lim; i++) {
-			ret = l9p_puqid(msg, &qids[i]);
-			if (ret < 0)
-				return (-1);
-			r += ret;
-		}
+	if (r <= 0)
+		return (r);
+
+	if (*num > L9P_MAX_WELEM)
+		return (-1);
+
+	for (i = 0, lim = *num; i < lim; i++) {
+		ret = l9p_puqid(msg, &qids[i]);
+		if (ret < 0)
+			return (-1);
+		r += ret;
 	}
 	return (r);
 }