git: 9front

Download patch

ref: d0cbed9021337e62d90eabd4601b9e2407ce1044
parent: 9740263b4af9b54e69678d9188366cab30911748
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Mar 24 13:05:55 EDT 2024 

devmnt: handle too short or negative message sizes

The 9p 4-byte size field must not be smaller
than 7 (4+1+2) to have a valid 9p header.

Note that len here is signed so this also handles
negative values.


--- a/sys/src/9/port/devmnt.c
+++ b/sys/src/9/port/devmnt.c
@@ -1109,8 +1109,8 @@
 
 	/* read in the rest of the message, avoid ridiculous (for now) message sizes */
 	len = GBIT32(nb->rp);
-	if(len > m->msize){
-		qdiscard(m->q, qlen(m->q));
+	if(len < BIT32SZ+BIT8SZ+BIT16SZ || len > m->msize){
+		qflush(m->q);
 		return -1;
 	}
 	if(doread(m, len) < 0)
--