Date: Fri, 22 Jul 2022 15:01:46 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[] Message-ID: <bug-265385-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265385 Bug ID: 265385 Summary: lib9p's l9p_puqids() can write beyond the end of qids[] Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu When a 9P server sends an L9P_RWALK reply, it specifies the number of qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified number of qids into its qids argument, which is the wqid element of a struct l9p_f_rwalk: struct l9p_f_rwalk { struct l9p_hdr hdr; uint16_t nwqid; struct l9p_qid wqid[L9P_MAX_WELEM]; }; #define L9P_MAX_WELEM 256 l9p_puqids() doesn't check the server's number against this maximum: static ssize_t l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids) { size_t i, lim; ssize_t ret, r; r =3D l9p_pu16(msg, num); if (r > 0) { for (i =3D 0, lim =3D *num; i < lim; i++) { ret =3D l9p_puqid(msg, &qids[i]); if (ret < 0) return (-1); r +=3D ret; } } return (r); } So if a malicious or enthusiastic server sends back more than 256 qids, the client will write them beyond the end of wqid[]. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265385-27103>