[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 22 Jul 2022 15:01:46 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265385
Bug ID: 265385
Summary: lib9p's l9p_puqids() can write beyond the end of
qids[]
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bhyve
Assignee: virtualization@FreeBSD.org
Reporter: rtm@lcs.mit.edu
When a 9P server sends an L9P_RWALK reply, it specifies the number of
qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified
number of qids into its qids argument, which is the wqid element of a
struct l9p_f_rwalk:
struct l9p_f_rwalk {
struct l9p_hdr hdr;
uint16_t nwqid;
struct l9p_qid wqid[L9P_MAX_WELEM];
};
#define L9P_MAX_WELEM 256
l9p_puqids() doesn't check the server's number against this maximum:
static ssize_t
l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
{
size_t i, lim;
ssize_t ret, r;
r = l9p_pu16(msg, num);
if (r > 0) {
for (i = 0, lim = *num; i < lim; i++) {
ret = l9p_puqid(msg, &qids[i]);
if (ret < 0)
return (-1);
r += ret;
}
}
return (r);
}
So if a malicious or enthusiastic server sends back more than 256
qids, the client will write them beyond the end of wqid[].
--
You are receiving this mail because:
You are the assignee for the bug.