9p message size too small
various fileservers do not check if the message size is too small (they subtract IOHDRSZ later from it to calculate iounit) which can overflow.
This commit is contained in:
parent
dbbbff8915
commit
3787f721c1
|
@ -224,6 +224,8 @@ Version(Fid*)
|
|||
for(f = fids; f; f = f->next)
|
||||
if(f->busy)
|
||||
Clunk(f);
|
||||
if(rhdr.msize < 256)
|
||||
return "message size too small";
|
||||
if(rhdr.msize > sizeof mdata)
|
||||
thdr.msize = sizeof mdata;
|
||||
else
|
||||
|
|
|
@ -221,6 +221,8 @@ rversion(Fid*)
|
|||
for(f = fids; f; f = f->next)
|
||||
if(f->busy)
|
||||
rclunk(f);
|
||||
if(thdr.msize < 256)
|
||||
return "message size too small";
|
||||
if(thdr.msize > sizeof mdata)
|
||||
rhdr.msize = sizeof mdata;
|
||||
else
|
||||
|
|
|
@ -113,7 +113,7 @@ mkdir9p2(Dir* dir, Dentry* dentry, void* strs)
|
|||
static int
|
||||
version(Chan* chan, Fcall* f, Fcall* r)
|
||||
{
|
||||
if(chan->protocol != nil)
|
||||
if(chan->protocol != nil || f->msize < 256)
|
||||
return Eversion;
|
||||
|
||||
if(f->msize < MSIZE)
|
||||
|
|
|
@ -15,6 +15,9 @@ seterror(Fcall *ou, int err)
|
|||
static int
|
||||
fsversion(Chan* chan, Fcall* f, Fcall* r)
|
||||
{
|
||||
if(f->msize < 256)
|
||||
return Econvert;
|
||||
|
||||
if(f->msize < MSIZE)
|
||||
r->msize = f->msize;
|
||||
else
|
||||
|
|
|
@ -26,11 +26,17 @@ Xversion(Fsrpc *t)
|
|||
{
|
||||
Fcall rhdr;
|
||||
|
||||
if(t->work.msize < 256){
|
||||
reply(&t->work, &rhdr, "version: message size too small");
|
||||
t->busy = 0;
|
||||
return;
|
||||
}
|
||||
if(t->work.msize > messagesize)
|
||||
t->work.msize = messagesize;
|
||||
messagesize = t->work.msize;
|
||||
if(strncmp(t->work.version, "9P2000", 6) != 0){
|
||||
reply(&t->work, &rhdr, Eversion);
|
||||
t->busy = 0;
|
||||
return;
|
||||
}
|
||||
rhdr.version = "9P2000";
|
||||
|
|
|
@ -304,11 +304,13 @@ rnop(Fid *f)
|
|||
char*
|
||||
rversion(Fid*)
|
||||
{
|
||||
if(thdr.msize > sizeof(mdata))
|
||||
rhdr.msize = messagesize;
|
||||
if(thdr.msize < 256)
|
||||
return "version: message size too small";
|
||||
if(thdr.msize > sizeof mdata)
|
||||
rhdr.msize = sizeof mdata;
|
||||
else
|
||||
rhdr.msize = thdr.msize;
|
||||
messagesize = thdr.msize;
|
||||
messagesize = rhdr.msize;
|
||||
|
||||
if(strncmp(thdr.version, "9P2000", 6) != 0)
|
||||
return "unknown 9P version";
|
||||
|
|
|
@ -355,6 +355,10 @@ serve(int rfd, int wfd)
|
|||
void
|
||||
rversion(Fcall *rx, Fcall *tx)
|
||||
{
|
||||
if(rx->msize < 256){
|
||||
seterror(tx, "version: message size too small");
|
||||
return;
|
||||
}
|
||||
if(msize > rx->msize)
|
||||
msize = rx->msize;
|
||||
tx->msize = msize;
|
||||
|
|
|
@ -503,6 +503,8 @@ Exputfid(Export *fs, Fid *f)
|
|||
static char*
|
||||
Exversion(Export *fs, Fcall *rpc, uchar *)
|
||||
{
|
||||
if(rpc->msize < 256)
|
||||
return "version: message size too small";
|
||||
if(rpc->msize > Maxrpc)
|
||||
rpc->msize = Maxrpc;
|
||||
if(strncmp(rpc->version, "9P", 2) != 0){
|
||||
|
|
Loading…
Reference in a new issue