| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221118135542.63400-2-asmadeus@codewreck.org>
Date: Fri, 18 Nov 2022 22:55:42 +0900
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Stefano Stabellini <sstabellini@...nel.org>
Cc: GUO Zihua <guozihua@...wei.com>, linux_oss@...debyte.com,
v9fs-developer@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
Dominique Martinet <asmadeus@...ewreck.org>
Subject: [PATCH 2/2] 9p: ensure logical size fits allocated size
all buffers used to be msize big, but the size can now vary based on
message type and arguments.
Adjut p9_check_error() to check the logical size (request payload) fits
within the allocated size (capacity) rather than msize
Transports normally all check this when the packet is being read, but
might as well stay coherent.
Fixes: 60ece0833b6c ("net/9p: allocate appropriate reduced message buffers")
Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
---
I think with the previous patch this is purely redundant, but better
safe than sorry...
The main problem is that if we didn't find this before we already
overflowed a buffer, so this is quite late!
net/9p/client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/client.c b/net/9p/client.c
index aaa37b07e30a..45dcc9e5d091 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -514,7 +514,7 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
int ecode;
err = p9_parse_header(&req->rc, NULL, &type, NULL, 0);
- if (req->rc.size >= c->msize) {
+ if (req->rc.size >= req->rc.capacity) {
p9_debug(P9_DEBUG_ERROR,
"requested packet size too big: %d\n",
req->rc.size);
--
2.38.1
Powered by blists - more mailing lists