handle some malformed 9P requests gracefully #110
Conversation
|
Hmm, one comment got dropped. typo 'reqst' in commit message of 7df07c7 |
Problem: when a read/write to an xattr has invalid arguments, it sets np_uerror (EINVAL) but the caller then sets np_uerror (errno), potentially clearing the original error and triggering an assertion in np_req_respond(). Set errno = EINVAL instead.
Problem: the Twrite xattr offset is not checked, so a malformed request can trigger a diod server segfault or worse. Check the offset in Tread and Twrite. Add a test Thanks to @rtmrtmrtmrtm for the bug report and reproducer.
Problem: buf_check_size() doesn't flag a buffer overflow if the buffer is exactly full when the check is performed. For example, a malformed Tlink with name size > 0 but no name causes a segfault. Fix off by one check so this and similar malformed requests generate an error response. Add unit test. Fixes chaos#109
|
Thanks! Fixed that and rebased. I'll set MWP. |
|
This pull request has been removed from the queue for the following reason: Pull request #110 has been dequeued. The pull request could not be merged. This could be related to an activated branch protection or ruleset rule that prevents us from merging. (detail: 2 of 2 required status checks are queued.) You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it. If you want to requeue this pull request, you need to post a comment with the text: |
|
@Mergifyio requeue |
|
|
@Mergifyio requeue |
✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically |
This fixes diod's poor (segfaulting) handling of a couple of malformed requests reported by @rtmrtmrtmrtm.