[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 22 Jul 2022 15:01:46 UTC

            Bug ID: 265385
           Summary: lib9p's l9p_puqids() can write beyond the end of
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

When a 9P server sends an L9P_RWALK reply, it specifies the number of
qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified
number of qids into its qids argument, which is the wqid element of a
struct l9p_f_rwalk:

  struct l9p_f_rwalk {
        struct l9p_hdr hdr;
        uint16_t nwqid;
        struct l9p_qid wqid[L9P_MAX_WELEM];

#define L9P_MAX_WELEM   256

l9p_puqids() doesn't check the server's number against this maximum:

static ssize_t
l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
        size_t i, lim;
        ssize_t ret, r;

        r = l9p_pu16(msg, num);

        if (r > 0) {
                for (i = 0, lim = *num; i < lim; i++) {
                        ret = l9p_puqid(msg, &qids[i]);
                        if (ret < 0)
                                return (-1);
                        r += ret;
        return (r);

So if a malicious or enthusiastic server sends back more than 256
qids, the client will write them beyond the end of wqid[].

You are receiving this mail because:
You are the assignee for the bug.