kernel: Limit parsecmd() to a maximum of READSTR bytes

A user can create a large demand paged segment and then do write to a ctl file with a very large buffer driving the kernel into an out-of-memory condition. For all practcal purposes, limit the input buffer size to something reasonable. READSTR is 8000 bytes, which would be enougth for even the largest ctl messages.
2025-01-12 11:10:06 +00:00 · 2024-10-20 12:07:08 +00:00 · 2024-10-20 12:07:08 +00:00 · fcdfb151e2
commit fcdfb151e2
parent 5beba2cf33
2 changed files with 12 additions and 1 deletions
--- a/sys/man/9/parsecmd
+++ b/sys/man/9/parsecmd
@ -67,6 +67,14 @@ is allocated by
 .IR malloc (9)),
 and the caller is responsible for freeing it using
 .IR free .
+To prevent denial of service to the kernel,
+.I parsecmd
+will error out if
+.I n
+exceeds
+.B READSTR
+bytes.
+.PP
 .I Cmderror
 prepends the given format with the original command,
 then calls
--- a/sys/src/9/port/parse.c
+++ b/sys/src/9/port/parse.c
@ -36,10 +36,13 @@ ncmdfield(char *p, int n)
 Cmdbuf*
 parsecmd(char *p, int n)
 {
-	Cmdbuf *volatile cb;
+	Cmdbuf *cb;
 	int nf;
 	char *sp;

+	if(up!=nil && (uint)n > READSTR)
+		error("control message too big");
+
 	nf = ncmdfield(p, n);

 	/* allocate Cmdbuf plus string pointers plus copy of string including \0 */