cirno/plan9port
1
0
Fork 0
mirror of https://github.com/9fans/plan9port.git synced 2025-01-12 11:10:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fspread: fix buffer overflow

Browse source 
Without this fix, fspread is trusting the server to return as much
data as requested, or less. If a server responds with more data
though, fspread writes beyond the bounds of the buffer to fill, which
is passed in by the caller. It depends on the caller of fspread()
where that buffer is, so there are various possible attack vectors.

In the Plan9 kernel, I found this implemented in devmnt.c, where
overly large responses are truncated to the size requested before
copying, so I assume that this strategy works here too.

This also affects fsread() and fsreadn(), which are based on
fspread().
This commit is contained in:
Günther Noack 2020-08-17 21:11:56 +02:00 committed by Dan Cross
parent 88a87fadae
commit 878b30c0bc
1 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/lib9pclient/read.c
View file

@ -13,6 +13,7 @@ fspread(CFid *fid, void *buf, long n, vlong offset)
Fcall tx, rx; Fcall tx, rx;
void *freep; void *freep;
uint msize; uint msize;
long nr;
msize = fid->fs->msize - IOHDRSZ; msize = fid->fs->msize - IOHDRSZ;
if(n > msize) if(n > msize)
@ -34,17 +35,21 @@ fspread(CFid *fid, void *buf, long n, vlong offset)
free(freep); free(freep);
return -1; return -1;
} }
if(rx.count){ nr = rx.count;
memmove(buf, rx.data, rx.count); if(nr > n)
nr = n;
if(nr){
memmove(buf, rx.data, nr);
if(offset == -1){ if(offset == -1){
qlock(&fid->lk); qlock(&fid->lk);
fid->offset += rx.count; fid->offset += nr;
qunlock(&fid->lk); qunlock(&fid->lk);
} }
} }
free(freep); free(freep);
return rx.count; return nr;
} }
long long