d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib9p: Remove potential buffer overwrite in l9p_puqids()

Browse Source 
Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
and that number actually set the maximum we can safely use.

PR:		265385
Reviewed by:	markj
MFC after:	1 day
Differential Revision:	https://reviews.freebsd.org/D35907
This commit is contained in:
Konrad Sewiłło-Jopek 2022-08-08 12:25:48 -04:00 committed by Mark Johnston
parent 1b0a4974c5
commit 2dd83b3f05
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/lib9p/pack.c
View File

@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
ssize_t ret, r; ssize_t ret, r;
r = l9p_pu16(msg, num); r = l9p_pu16(msg, num);
if (r > 0) { if (r <= 0)
for (i = 0, lim = *num; i < lim; i++) { return (r);
ret = l9p_puqid(msg, &qids[i]);
if (ret < 0) if (*num > L9P_MAX_WELEM)
return (-1); return (-1);
r += ret;
} for (i = 0, lim = *num; i < lim; i++) {
ret = l9p_puqid(msg, &qids[i]);
if (ret < 0)
return (-1);
r += ret;
} }
return (r); return (r);
} }