git: 7dfe949791e7 - releng/13.1 - lib9p: Remove potential buffer overwrite in l9p_puqids()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Aug 2022 20:01:26 UTC
The branch releng/13.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7dfe949791e764115dda17ec6b21fba2e0a86a2e commit 7dfe949791e764115dda17ec6b21fba2e0a86a2e Author: Konrad Sewiłło-Jopek <kjopek@gmail.com> AuthorDate: 2022-08-08 16:25:48 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-08-09 20:01:13 +0000 lib9p: Remove potential buffer overwrite in l9p_puqids() Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries and that number actually set the maximum we can safely use. Approved by: so Security: FreeBSD-SA-22:12.lib9p PR: 265385 Reviewed by: markj (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8) (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9) --- contrib/lib9p/pack.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/contrib/lib9p/pack.c b/contrib/lib9p/pack.c index 88f0ccb4ad73..cf0ae9111b76 100644 --- a/contrib/lib9p/pack.c +++ b/contrib/lib9p/pack.c @@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids) ssize_t ret, r; r = l9p_pu16(msg, num); - if (r > 0) { - for (i = 0, lim = *num; i < lim; i++) { - ret = l9p_puqid(msg, &qids[i]); - if (ret < 0) - return (-1); - r += ret; - } + if (r <= 0) + return (r); + + if (*num > L9P_MAX_WELEM) + return (-1); + + for (i = 0, lim = *num; i < lim; i++) { + ret = l9p_puqid(msg, &qids[i]); + if (ret < 0) + return (-1); + r += ret; } return (r); }