From 0aac600fb3b659b5b9a2a8aaefb821774cf38bd2 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Fri, 1 Mar 2019 01:43:55 +0100 Subject: lib9p: fix zero msize abort() due to unknown version (thanks kivik) kivik wrote: I've found a nasty bug in lib9p handling of Tversion messages, where an invalid version string in the request leads to servers abort()ing the spaceship. To reproduce: ; ramfs -S ram ; aux/9pcon /srv/ram Tversion ~0 DIE The issue lies in sversion() where in case an invalid version string is received we respond right away with ofcall.version="unknown"; however, we fail to set the ofcall.msize, which at this point is cleared to 0. This causes the convS2M call in respond() to fail and abort being called. --- sys/src/lib9p/srv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/src/lib9p/srv.c b/sys/src/lib9p/srv.c index 9090b1a52..207c88f61 100644 --- a/sys/src/lib9p/srv.c +++ b/sys/src/lib9p/srv.c @@ -172,6 +172,7 @@ sversion(Srv *srv, Req *r) } if(strncmp(r->ifcall.version, "9P", 2) != 0){ r->ofcall.version = "unknown"; + r->ofcall.msize = 256; respond(r, nil); return; } -- cgit v1.2.3