9p/net: fix improper handling of bogus negative read/write replies - kernel

diff options

author	Dominique Martinet <[email protected]>	2025-03-19 11:20:15 +0000
committer	Dominique Martinet <[email protected]>	2025-03-19 12:19:59 +0000
commit	d0259a856afca31d699b706ed5e2adf11086c73b (patch)
tree	13d61a66605818ccf7cf2ac8493fa461f32e9940 /net/core/lock_debug.c
parent	fs/9p: fix NULL pointer dereference on mkdir (diff)
download	kernel-d0259a856afca31d699b706ed5e2adf11086c73b.tar.gz kernel-d0259a856afca31d699b706ed5e2adf11086c73b.zip

9p/net: fix improper handling of bogus negative read/write replies

In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bogus RWRITE count (4294967295 > 3) Reported-by: Robert Morris <[email protected]> Closes: https://lore.kernel.org/[email protected] Message-ID: <[email protected]> Reviewed-by: Christian Schoenebeck <[email protected]> Signed-off-by: Dominique Martinet <[email protected]>

Diffstat (limited to 'net/core/lock_debug.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: