diff options
| author | Luke T. Shumaker <lukeshu@lukeshu.com> | 2024-10-02 22:09:31 -0600 |
|---|---|---|
| committer | Luke T. Shumaker <lukeshu@lukeshu.com> | 2024-10-02 22:09:31 -0600 |
| commit | 4d451f90eba193a4ca2848c4ac7acccda96ed008 (patch) | |
| tree | e00a41587de365134032fbd1ceff124b5552a280 /lib9p/types.c | |
| parent | ad2027ae26e5d83eb42c9edaa90f7b278f9b0d3d (diff) | |
lib9p: Validate Twalk and Rwalk list sizes
Diffstat (limited to 'lib9p/types.c')
| -rw-r--r-- | lib9p/types.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/lib9p/types.c b/lib9p/types.c index baddab3..0343a48 100644 --- a/lib9p/types.c +++ b/lib9p/types.c @@ -311,7 +311,11 @@ static ALWAYS_INLINE bool _validate_size_host(struct _validate_ctx *ctx, size_t } static ALWAYS_INLINE bool _validate_list(struct _validate_ctx *ctx, - size_t cnt, _validate_fn_t item_fn, size_t item_host_size) { + size_t cnt, size_t max, + _validate_fn_t item_fn, size_t item_host_size) { + if (max && cnt > max) + return lib9p_errorf(ctx->ctx, LINUX_EBADMSG, "list size is too large (%zu > %zu)", + cnt, max); for (size_t i = 0; i < cnt; i++) if (_validate_size_host(ctx, item_host_size) || item_fn(ctx)) return true; @@ -460,12 +464,12 @@ static FLATTEN bool validate_Twalk(struct _validate_ctx *ctx) { return validate_4(ctx) || validate_4(ctx) || validate_2(ctx) - || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), validate_s, sizeof(struct lib9p_s)); + || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), 16, validate_s, sizeof(struct lib9p_s)); } static FLATTEN bool validate_Rwalk(struct _validate_ctx *ctx) { return validate_2(ctx) - || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), validate_qid, sizeof(struct lib9p_qid)); + || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), 16, validate_qid, sizeof(struct lib9p_qid)); } static FLATTEN bool validate_Topen(struct _validate_ctx *ctx) { @@ -554,7 +558,7 @@ static FLATTEN bool validate_Rsession(struct _validate_ctx *UNUSED(ctx)) { static FLATTEN bool validate_Tsread(struct _validate_ctx *ctx) { return validate_4(ctx) || validate_2(ctx) - || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), validate_s, sizeof(struct lib9p_s)); + || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), 0, validate_s, sizeof(struct lib9p_s)); } static FLATTEN bool validate_Rsread(struct _validate_ctx *ctx) { @@ -564,7 +568,7 @@ static FLATTEN bool validate_Rsread(struct _validate_ctx *ctx) { static FLATTEN bool validate_Tswrite(struct _validate_ctx *ctx) { return validate_4(ctx) || validate_2(ctx) - || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), validate_s, sizeof(struct lib9p_s)) + || _validate_list(ctx, decode_u16le(&ctx->net_bytes[ctx->net_offset-2]), 0, validate_s, sizeof(struct lib9p_s)) || validate_d(ctx); } |