git: 7dfe949791e7 - releng/13.1 - lib9p: Remove potential buffer overwrite in l9p_puqids()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 09 Aug 2022 20:01:26 UTC
The branch releng/13.1 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=7dfe949791e764115dda17ec6b21fba2e0a86a2e

commit 7dfe949791e764115dda17ec6b21fba2e0a86a2e
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 20:01:13 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()
    
    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.
    
    Approved by:    so
    Security:       FreeBSD-SA-22:12.lib9p
    PR:             265385
    Reviewed by:    markj
    
    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)
    (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9)
---
 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/contrib/lib9p/pack.c b/contrib/lib9p/pack.c
index 88f0ccb4ad73..cf0ae9111b76 100644
--- a/contrib/lib9p/pack.c
+++ b/contrib/lib9p/pack.c
@@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
 	ssize_t ret, r;
 
 	r = l9p_pu16(msg, num);
-	if (r > 0) {
-		for (i = 0, lim = *num; i < lim; i++) {
-			ret = l9p_puqid(msg, &qids[i]);
-			if (ret < 0)
-				return (-1);
-			r += ret;
-		}
+	if (r <= 0)
+		return (r);
+
+	if (*num > L9P_MAX_WELEM)
+		return (-1);
+
+	for (i = 0, lim = *num; i < lim; i++) {
+		ret = l9p_puqid(msg, &qids[i]);
+		if (ret < 0)
+			return (-1);
+		r += ret;
 	}
 	return (r);
 }