Blob
- Date:
- Message:
- fspread: fix buffer overflow Without this fix, fspread is trusting the server to return as much data as requested, or less. If a server responds with more data though, fspread writes beyond the bounds of the buffer to fill, which is passed in by the caller. It depends on the caller of fspread() where that buffer is, so there are various possible attack vectors. In the Plan9 kernel, I found this implemented in devmnt.c, where overly large responses are truncated to the size requested before copying, so I assume that this strategy works here too. This also affects fsread() and fsreadn(), which are based on fspread().
- Actions:
- History | Blame | Raw File
1 /* Copyright (C) 2003 Russ Cox, Massachusetts Institute of Technology */2 /* See COPYRIGHT */4 #include <u.h>5 #include <libc.h>6 #include <fcall.h>7 #include <9pclient.h>8 #include "fsimpl.h"10 long11 fspread(CFid *fid, void *buf, long n, vlong offset)12 {13 Fcall tx, rx;14 void *freep;15 uint msize;16 long nr;18 msize = fid->fs->msize - IOHDRSZ;19 if(n > msize)20 n = msize;21 tx.type = Tread;22 tx.fid = fid->fid;23 if(offset == -1){24 qlock(&fid->lk);25 tx.offset = fid->offset;26 qunlock(&fid->lk);27 }else28 tx.offset = offset;29 tx.count = n;31 if(_fsrpc(fid->fs, &tx, &rx, &freep) < 0)32 return -1;33 if(rx.type == Rerror){34 werrstr("%s", rx.ename);35 free(freep);36 return -1;37 }38 nr = rx.count;39 if(nr > n)40 nr = n;42 if(nr){43 memmove(buf, rx.data, nr);44 if(offset == -1){45 qlock(&fid->lk);46 fid->offset += nr;47 qunlock(&fid->lk);48 }49 }50 free(freep);52 return nr;53 }55 long56 fsread(CFid *fid, void *buf, long n)57 {58 return fspread(fid, buf, n, -1);59 }61 long62 fsreadn(CFid *fid, void *buf, long n)63 {64 long tot, nn;66 for(tot=0; tot<n; tot+=nn){67 nn = fsread(fid, (char*)buf+tot, n-tot);68 if(nn <= 0){69 if(tot == 0)70 return nn;71 break;72 }73 }74 return tot;75 }