shithub: plan9front

Download patch

ref: a4c1f3cc18df6fddd548f4df9f209695c4eb7263
parent: 68572ab45102118db695ab1bcc935b9b3b95c7ca
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Nov 8 20:46:13 EST 2021

devtls: reject zero length records (thanks sigrid)

zero length record causes ensure() todo nothing,
while qgrab() assumes there is at least one buffer
in the queue and would dereference the nil buffer.

--- a/sys/src/9/port/devtls.c	Mon Nov  8 20:29:30 2021
+++ b/sys/src/9/port/devtls.c	Mon Nov  8 20:46:13 2021
@@ -766,8 +766,8 @@
 	if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
 		rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
 			tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
-	if(len > MaxCipherRecLen || len < 0)
-		rcvError(tr, ERecordOverflow, "record message too long %d", len);
+	if(len > MaxCipherRecLen || len <= 0)
+		rcvError(tr, ERecordOverflow, "bad record message length %d", len);
 	ensure(tr, &tr->unprocessed, len);
 	nconsumed = 0;
 	poperror();