From 6250a8badb311953a49bedb16ed17eb59d21c03a Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" Date: Tue, 30 Dec 2014 02:48:09 +0200 Subject: [PATCH] 9p: use unsigned integers for nwqid/count As specification says, all integers in messages are unsigned. Let's fix behaviour of p9pdu_vreadf()/p9pdu_vwritef() accordingly. Fix for p9pdu_vreadf() is critical. If server replies with Rwalk, where nwqid > SHRT_MAX, the value will be interpreted as negative. kmalloc, in its order, will cast the value to (very big) size_t. It should never happen in normal situation: we never submit Twalk with nwname > 16, but malicious or broken server can still produce problematic Rwalk. Signed-off-by: Kirill A. Shutemov Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/protocol.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index ab9127ec5b7a..305e4789f2cc 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -273,7 +273,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'R':{ - int16_t *nwqid = va_arg(ap, int16_t *); + uint16_t *nwqid = va_arg(ap, uint16_t *); struct p9_qid **wqids = va_arg(ap, struct p9_qid **); @@ -448,7 +448,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'U':{ - int32_t count = va_arg(ap, int32_t); + uint32_t count = va_arg(ap, uint32_t); const char __user *udata = va_arg(ap, const void __user *); errcode = p9pdu_writef(pdu, proto_version, "d", @@ -479,7 +479,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'R':{ - int16_t nwqid = va_arg(ap, int); + uint16_t nwqid = va_arg(ap, int); struct p9_qid *wqids = va_arg(ap, struct p9_qid *); -- 2.20.1