Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer

From: Kees Cook
Date: Sun Jun 22 2025 - 16:02:32 EST

Next message: Amir Mohammad Jahangirzad: "Re: [PATCH] fs/orangefs: use snprintf() instead of sprintf()"
Previous message: Thomas Weißschuh: "Re: [PATCH 3/4] tools/nolibc: move FD_* definitions to sys/select.h"
In reply to: Dominique Martinet via B4 Relay: "[PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Next in thread: asmadeus: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On June 22, 2025 6:39:56 AM PDT, Dominique Martinet via B4 Relay <devnull+asmadeus.codewreck.org@xxxxxxxxxx> wrote:
> [...]
>Add validation in usb9pfs_rx_complete() to ensure req->actual does not
>exceed the buffer capacity before copying data.
> [...]
>+ if (req_size > p9_rx_req->rc.capacity) {
>+ dev_err(&cdev->gadget->dev,
>+ "%s received data size %u exceeds buffer capacity %zu\n",
>+ ep->name, req_size, p9_rx_req->rc.capacity);
>+ req_size = 0;
>+ status = REQ_STATUS_ERROR;
>+ }
>
>- p9_rx_req->rc.size = req->actual;
>+ memcpy(p9_rx_req->rc.sdata, req->buf, req_size);

Is rc.sdata always rc.capacity sized? If so, this world be a good first adopter of the __counted_by annotation for pointer struct members, available in Clang trunk and soon in GCC:
https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683696.html

-Kees

--
Kees Cook

Next message: Amir Mohammad Jahangirzad: "Re: [PATCH] fs/orangefs: use snprintf() instead of sprintf()"
Previous message: Thomas Weißschuh: "Re: [PATCH 3/4] tools/nolibc: move FD_* definitions to sys/select.h"
In reply to: Dominique Martinet via B4 Relay: "[PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Next in thread: asmadeus: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]