[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[]"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 22 Jul 2022 15:01:46 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265385 Bug ID: 265385 Summary: lib9p's l9p_puqids() can write beyond the end of qids[] Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu When a 9P server sends an L9P_RWALK reply, it specifies the number of qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified number of qids into its qids argument, which is the wqid element of a struct l9p_f_rwalk: struct l9p_f_rwalk { struct l9p_hdr hdr; uint16_t nwqid; struct l9p_qid wqid[L9P_MAX_WELEM]; }; #define L9P_MAX_WELEM 256 l9p_puqids() doesn't check the server's number against this maximum: static ssize_t l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids) { size_t i, lim; ssize_t ret, r; r = l9p_pu16(msg, num); if (r > 0) { for (i = 0, lim = *num; i < lim; i++) { ret = l9p_puqid(msg, &qids[i]); if (ret < 0) return (-1); r += ret; } } return (r); } So if a malicious or enthusiastic server sends back more than 256 qids, the client will write them beyond the end of wqid[]. -- You are receiving this mail because: You are the assignee for the bug.