[illumos-gate merge]release-20220811

commit 64121b135066abca1808f49288c947e236922532 14899 lib9p: Remove potential buffer overwrite in l9p_puqids()
author: Dan McDonald <danmcd@mnx.io> 2022-08-10 16:40:47 -0400
committer: Dan McDonald <danmcd@mnx.io> 2022-08-10 16:40:47 -0400
commit: 2686a5b512d3e1ec5236a82c645d032a7b5dd129 (patch)
tree: 4af77ea43f0d819901de2f092375f4c0596433ce /usr/src/lib/lib9p/common/pack.c
parent: e71c34777fe0bbea1bc10f739dc8843205b7bcf9 (diff)
parent: 64121b135066abca1808f49288c947e236922532 (diff)
download: illumos-joyent-release-20220811.tar.gz
1 files changed, 11 insertions, 7 deletions
diff --git a/usr/src/lib/lib9p/common/pack.c b/usr/src/lib/lib9p/common/pack.c
index 13ec5f02b5..eca17d0670 100644
--- a/usr/src/lib/lib9p/common/pack.c
+++ b/usr/src/lib/lib9p/common/pack.c
@@ -346,13 +346,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
 	ssize_t ret, r;
 
 	r = l9p_pu16(msg, num);
-	if (r > 0) {
-		for (i = 0, lim = *num; i < lim; i++) {
-			ret = l9p_puqid(msg, &qids[i]);
-			if (ret < 0)
-				return (-1);
-			r += ret;
-		}
+	if (r <= 0)
+		return (r);
+
+	if (*num > L9P_MAX_WELEM)
+		return (-1);
+
+	for (i = 0, lim = *num; i < lim; i++) {
+		ret = l9p_puqid(msg, &qids[i]);
+		if (ret < 0)
+			return (-1);
+		r += ret;
 	}
 	return (r);
 }
author	Dan McDonald <danmcd@mnx.io>	2022-08-10 16:40:47 -0400
committer	Dan McDonald <danmcd@mnx.io>	2022-08-10 16:40:47 -0400
commit	2686a5b512d3e1ec5236a82c645d032a7b5dd129 (patch)
tree	4af77ea43f0d819901de2f092375f4c0596433ce /usr/src/lib/lib9p/common/pack.c
parent	e71c34777fe0bbea1bc10f739dc8843205b7bcf9 (diff)
parent	64121b135066abca1808f49288c947e236922532 (diff)
download	illumos-joyent-release-20220811.tar.gz