lib9p: Remove potential buffer overwrite in l9p_puqids()
Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries and that number actually set the maximum we can safely use. PR: 265385 Reviewed by: markj MFC after: 1 day Differential Revision: https://reviews.freebsd.org/D35907
This commit is contained in:
parent
1b0a4974c5
commit
2dd83b3f05
@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
|
|||||||
ssize_t ret, r;
|
ssize_t ret, r;
|
||||||
|
|
||||||
r = l9p_pu16(msg, num);
|
r = l9p_pu16(msg, num);
|
||||||
if (r > 0) {
|
if (r <= 0)
|
||||||
for (i = 0, lim = *num; i < lim; i++) {
|
return (r);
|
||||||
ret = l9p_puqid(msg, &qids[i]);
|
|
||||||
if (ret < 0)
|
if (*num > L9P_MAX_WELEM)
|
||||||
return (-1);
|
return (-1);
|
||||||
r += ret;
|
|
||||||
}
|
for (i = 0, lim = *num; i < lim; i++) {
|
||||||
|
ret = l9p_puqid(msg, &qids[i]);
|
||||||
|
if (ret < 0)
|
||||||
|
return (-1);
|
||||||
|
r += ret;
|
||||||
}
|
}
|
||||||
return (r);
|
return (r);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user