commit 3242c0bccce6e6d431c59b04e2cd955e732fa074
from: Omar Polo <op@omarpolo.com>
date: Tue Dec 14 17:36:21 2021 UTC

don't let nwqid become negative

at the start of the loop nwqid is 0, so if the first component can't be
opened nwqid becomes -1 and since it's not 0, we end up calling np_walk
with -1 as length.  This in turns converts it back to uint16_t and we
generate an invalid packet.

The solution is to not decrement nwqid at all, it fixes all the current
tests case and is the correct behaviour that the rest of the code
expects.

commit - 054cd6b98fbb367f781b25084661076f5c1fe4b1
commit + 3242c0bccce6e6d431c59b04e2cd955e732fa074
blob - 86d1c8a51a4c7c63249f0344ed9cc3e51c1597be
blob + 942a9436ab608ca818a0e6788a6d48774c385bbe
--- client.c
+++ client.c
@@ -959,16 +959,12 @@ twalk(struct np_msg_header *hdr, const uint8_t *data, 
 		}
 
 		if ((fd = openat(oldfd, wnam, O_RDONLY|O_DIRECTORY)) == -1 &&
-		    errno != ENOTDIR) {
-			nwqid--;
+		    errno != ENOTDIR)
 			goto cantopen;
-		}
 
 		if ((fd == -1 && fstatat(oldfd, wnam, &sb, 0) == -1) ||
-		    (fd != -1 && fstat(fd, &sb) == -1)) {
-			nwqid--;
+		    (fd != -1 && fstat(fd, &sb) == -1))
 			goto cantopen;
-		}
 
 		qid_update_from_sb(&wqid[nwqid], &sb);