ref: 27abf782b4a59122c6a35426c0ea4d3fb3f872fd
parent: b181c1f7f561dbbb136495fabfb7eec4e5390434
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Mar 16 02:42:53 EDT 2025
ndb/dns: check for truncated read offset Unless ndb/cs, we check for negative read offset, but truncation can still happen as offset is 64-bit and we only handle integer offsets.
--- a/sys/src/cmd/ndb/dns.c
+++ b/sys/src/cmd/ndb/dns.c
@@ -608,7 +608,9 @@
cnt = job->request.count;
*buf = '\0';
job->reply.data = (char*)buf;
- if(mf->qid.type & QTDIR){+ if(off < 0 || off != job->request.offset)
+ err = "bad read offset";
+ else if(mf->qid.type & QTDIR){clock = time(nil);
if(off == 0){memset(&dir, 0, sizeof dir);
@@ -622,9 +624,7 @@
dir.atime = dir.mtime = clock; /* wrong */
n = convD2M(&dir, buf, sizeof buf);
}
- } else if (off < 0)
- err = "negative read offset";
- else {+ } else {/* first offset will always be zero */
for(i = 1; i <= mf->nrr; i++)
if(mf->rr[i] > off)
--
⑨