lisafs: bound Walk and WalkStat response payloads to maxMessageSize#13243
Open
ibondarenko1 wants to merge 1 commit into
Open
lisafs: bound Walk and WalkStat response payloads to maxMessageSize#13243ibondarenko1 wants to merge 1 commit into
ibondarenko1 wants to merge 1 commit into
Conversation
WalkHandler and WalkStatHandler size the response payload buffer from the request-controlled path length and only reject it when it exceeds math.MaxUint32 (4 GiB). comm.PayloadBuf slices into a window of maxMessageSize bytes, so any size between maxMessageSize and MaxUint32 indexes past that window. The sibling PReadHandler bounds its response payload against c.maxMessageSize. Apply the same bound to both Walk handlers. math is no longer referenced in the file, so its import is dropped.
ayushr2
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
WalkHandlerandWalkStatHandlersize the response payload buffer from the request-controlledreq.Pathlength, and only reject it againstmath.MaxUint32:comm.PayloadBuffor the channel transport returns a slice into a window ofmaxMessageSizebytes. AmaxPayloadSizebetweenmaxMessageSizeandMaxUint32therefore indexes past that window.Sibling precedent
PReadHandler, in the same file, bounds its response payload correctly:Change
Bound
maxPayloadSizein both Walk handlers againstc.maxMessageSize, matchingPReadHandler.mathis no longer referenced in the file, so its import is dropped. Two one-line changes plus the import removal.Scope
Hardening. A handler panic of this shape is recovered by
Connection.handleMsgand turned into anEREMOTEIOresponse, so the gofer does not crash, and the request is only reachable from a compromised sentry. This change removes the reliance on that recover() net and makes the two Walk handlers consistent withPReadHandler.Getdents64Handlerhas a related but structurally different unbounded re-allocation; it is left for a separate change because its fix is not a one-line bound and would not belong in this minimal cleanup.