code: plan9front

Info • Files • Log

ref: fe4b87e6826469cf3c03bcfc4203336361b5bf68
parent: f0f2d452c873255dec4b3359b3f93e349be0f2c5
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Mar 24 13:05:55 EDT 2024

devmnt: handle too short or negative message sizes

The 9p 4-byte size field must not be smaller
than 7 (4+1+2) to have a valid 9p header.

Note that len here is signed so this also handles
negative values.

--- a/sys/src/9/port/devmnt.c

+++ b/sys/src/9/port/devmnt.c

@@ -1109,8 +1109,8 @@

 	/* read in the rest of the message, avoid ridiculous (for now) message sizes */

 	len = GBIT32(nb->rp);

-	if(len > m->msize){

-		qdiscard(m->q, qlen(m->q));

+	if(len < BIT32SZ+BIT8SZ+BIT16SZ || len > m->msize){

+		qflush(m->q);

 		return -1;

 	if(doread(m, len) < 0)