提交 200650d4 编写于 作者: E Eric Blake 提交者: Max Reitz

nbd: Don't fail handshake on NBD_OPT_LIST descriptions

The NBD Protocol states that NBD_REP_SERVER may set
'length > sizeof(namelen) + namelen'; in which case the rest
of the packet is a UTF-8 description of the export.  While we
don't know of any NBD servers that send this description yet,
we had better consume the data so we don't choke when we start
to talk to such a server.

Also, a (buggy/malicious) server that replies with length <
sizeof(namelen) would cause us to block waiting for bytes that
the server is not sending, and one that replies with super-huge
lengths could cause us to temporarily allocate up to 4G memory.
Sanity check things before blindly reading incorrectly.
Signed-off-by: NEric Blake <eblake@redhat.com>
Message-id: 1460077777-31004-1-git-send-email-eblake@redhat.com
Reviewed-by: NAlex Bligh <alex@alex.org.uk>
Signed-off-by: NMax Reitz <mreitz@redhat.com>
上级 e71fc0ba
...@@ -192,13 +192,18 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp) ...@@ -192,13 +192,18 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
return -1; return -1;
} }
} else if (type == NBD_REP_SERVER) { } else if (type == NBD_REP_SERVER) {
if (len < sizeof(namelen) || len > NBD_MAX_BUFFER_SIZE) {
error_setg(errp, "incorrect option length");
return -1;
}
if (read_sync(ioc, &namelen, sizeof(namelen)) != sizeof(namelen)) { if (read_sync(ioc, &namelen, sizeof(namelen)) != sizeof(namelen)) {
error_setg(errp, "failed to read option name length"); error_setg(errp, "failed to read option name length");
return -1; return -1;
} }
namelen = be32_to_cpu(namelen); namelen = be32_to_cpu(namelen);
if (len != (namelen + sizeof(namelen))) { len -= sizeof(namelen);
error_setg(errp, "incorrect option mame length"); if (len < namelen) {
error_setg(errp, "incorrect option name length");
return -1; return -1;
} }
if (namelen > 255) { if (namelen > 255) {
...@@ -214,6 +219,20 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp) ...@@ -214,6 +219,20 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
return -1; return -1;
} }
(*name)[namelen] = '\0'; (*name)[namelen] = '\0';
len -= namelen;
if (len) {
char *buf = g_malloc(len + 1);
if (read_sync(ioc, buf, len) != len) {
error_setg(errp, "failed to read export description");
g_free(*name);
g_free(buf);
*name = NULL;
return -1;
}
buf[len] = '\0';
TRACE("Ignoring export description: %s", buf);
g_free(buf);
}
} else { } else {
error_setg(errp, "Unexpected reply type %x expected %x", error_setg(errp, "Unexpected reply type %x expected %x",
type, NBD_REP_SERVER); type, NBD_REP_SERVER);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册