ref: b181c1f7f561dbbb136495fabfb7eec4e5390434
parent: 5dcb8d92ff849359a164b7c0d7ecae64594d6db6
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Mar 16 02:42:01 EDT 2025
ndb/cs: check for negative or truncated read offset It is possible to read before the reply buffer by passing negative file-offset. Reply with and error instead.
--- a/sys/src/cmd/ndb/cs.c
+++ b/sys/src/cmd/ndb/cs.c
@@ -678,6 +678,11 @@
cnt = job->request.count;
mf->ref++;
+ if(off < 0 || off != job->request.offset){+ err = "bad read offset";
+ goto send;
+ }
+
if(mf->qid.type & QTDIR){clock = time(0);
if(off == 0){--
⑨