sndiod: Fix insufficent check of input from clients

Fixes possible sndiod(8) crashes caused by a global table overread
triggered by the client.

Found and analysed by Henry Ford <henryfordkjv at gmail.com>, thanks!

ok blumh, help from millert, mlarkin

diff --git a/usr.bin/sndiod/sock.c b/usr.bin/sndiod/sock.c
index 86a78cb..969ea9f 100644 (file)
--- a/usr.bin/sndiod/sock.c
+++ b/usr.bin/sndiod/sock.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: sock.c,v 1.49 2024/05/24 15:16:09 ratchov Exp $       */
+/*     $OpenBSD: sock.c,v 1.50 2024/08/01 14:36:27 ratchov Exp $       */
 /*
  * Copyright (c) 2008-2012 Alexandre Ratchov <alex@caoua.org>
  *
@@ -986,7 +986,7 @@ sock_execmsg(struct sock *f)
        struct slot *s = f->slot;
        struct amsg *m = &f->rmsg;
        unsigned char *data;
-       int size, ctl;
+       unsigned int size, ctl;
        int cmd;
 
        cmd = ntohl(m->cmd);
@@ -1020,7 +1020,7 @@ sock_execmsg(struct sock *f)
                        return 0;
                }
                size = ntohl(m->u.data.size);
-               if (size <= 0) {
+               if (size == 0) {
 #ifdef DEBUG
                        if (log_level >= 1) {
                                sock_log(f);