MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 16:31:14 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
v6.1.146
linux-yocto/net/9p
History
Dominique Martinet 468ff4a7c6 9p/net: fix improper handling of bogus negative read/write replies 
[ Upstream commit d0259a856a ]

In p9_client_write() and p9_client_read_once(), if the server
incorrectly replies with success but a negative write/read count then we
would consider written (negative) <= rsize (positive) because both
variables were signed.

Make variables unsigned to avoid this problem.

The reproducer linked below now fails with the following error instead
of a null pointer deref:
9pnet: bogus RWRITE count (4294967295 > 3)

Reported-by: Robert Morris <rtm@mit.edu>
Closes: https://lore.kernel.org/16271.1734448631@26-5-164.dynamic.csail.mit.edu
Message-ID: <20250319-9p_unsigned_rw-v3-1-71327f1503d0@codewreck.org>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-05-02 07:47:04 +02:00
..
client.c 9p/net: fix improper handling of bogus negative read/write replies 2025-05-02 07:47:04 +02:00
error.c
Kconfig
Makefile
mod.c
protocol.c net: 9p: avoid freeing uninit memory in p9pdu_vreadf 2024-01-01 12:39:04 +00:00
protocol.h
trans_common.c
trans_common.h
trans_fd.c 9p/trans_fd: Annotate data-racy writes to file::f_flags 2023-11-28 17:07:01 +00:00
trans_rdma.c
trans_virtio.c
trans_xen.c 9p/xen: fix release of IRQ 2024-12-14 19:54:08 +01:00