39c3fd117a
mischief provided the following test that shows the issue: ramfs -S crash aux/9pcon /srv/crash <<EOF Tversion 8192 9P2000 Tattach 0 -1 $user '' Tcreate 0 dir 020000000777 0 Tattach 5 -1 $user '' Twalk 5 6 dir Tread 6 0 512 EOF the problem is that lib9p wrongly allowed reads on closed fids, due to the permission check only considering the lower 2 bits. a closed fid has fid->omode == -1 and it would pass on read for: (-1 & 3) == 3 == OEXEC the following change explicitely checks for for the closed case and also rejects writes on directories (they are rejected on open/create, but a broken 9p client could still issue the request). |
||
---|---|---|
.. | ||
doc | ||
games/lib | ||
include | ||
lib | ||
man | ||
src |