ref: efbe93b047e0638cc601121d95b309724b58edb3
parent: dc3c597979cb56d6078663a36eea0eafc989c991
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Mar 16 02:42:01 EDT 2025
ndb/cs: check for negative or truncated read offset It is possible to read before the reply buffer by passing negative file-offset. Reply with and error instead.
--- a/sys/src/cmd/ndb/cs.c
+++ b/sys/src/cmd/ndb/cs.c
@@ -678,6 +678,11 @@
cnt = job->request.count;
mf->ref++;
+ if(off < 0 || off != job->request.offset){+ err = "bad read offset";
+ goto send;
+ }
+
if(mf->qid.type & QTDIR){clock = time(0);
if(off == 0){--
⑨