ref: 0aac600fb3b659b5b9a2a8aaefb821774cf38bd2
parent: 967b1248f82e5f64eab4dbf45898a37851b71fa2
author: cinap_lenrek <[email protected]>
date: Thu Feb 28 20:43:55 EST 2019
lib9p: fix zero msize abort() due to unknown version (thanks kivik) kivik wrote: I've found a nasty bug in lib9p handling of Tversion messages, where an invalid version string in the request leads to servers abort()ing the spaceship. To reproduce: ; ramfs -S ram ; aux/9pcon /srv/ram Tversion ~0 DIE The issue lies in sversion() where in case an invalid version string is received we respond right away with ofcall.version="unknown"; however, we fail to set the ofcall.msize, which at this point is cleared to 0. This causes the convS2M call in respond() to fail and abort being called.
--- a/sys/src/lib9p/srv.c
+++ b/sys/src/lib9p/srv.c
@@ -172,6 +172,7 @@
}
if(strncmp(r->ifcall.version, "9P", 2) != 0){
r->ofcall.version = "unknown";
+ r->ofcall.msize = 256;
respond(r, nil);
return;
}