[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 12/15] nbd-server: do not check request length except
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 12/15] nbd-server: do not check request length except for reads and writes |
Date: |
Fri, 15 Jan 2016 17:04:28 +0100 |
Only reads and writes need to allocate memory correspondent to the
request length. Other requests can be sent to the storage without
allocating any memory, and thus any request length is acceptable.
Reported-by: Sitsofe Wheeler <address@hidden>
Cc: address@hidden
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
nbd/server.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 8752885..c41af0d 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -818,13 +818,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req,
struct nbd_request *reque
goto out;
}
- if (request->len > NBD_MAX_BUFFER_SIZE) {
- LOG("len (%u) is larger than max len (%u)",
- request->len, NBD_MAX_BUFFER_SIZE);
- rc = -EINVAL;
- goto out;
- }
-
if ((request->from + request->len) < request->from) {
LOG("integer overflow detected! "
"you're probably being attacked");
@@ -836,6 +829,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req,
struct nbd_request *reque
command = request->type & NBD_CMD_MASK_COMMAND;
if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
+ if (request->len > NBD_MAX_BUFFER_SIZE) {
+ LOG("len (%u) is larger than max len (%u)",
+ request->len, NBD_MAX_BUFFER_SIZE);
+ rc = -EINVAL;
+ goto out;
+ }
+
req->data = blk_blockalign(client->exp->blk, request->len);
}
if (command == NBD_CMD_WRITE) {
--
1.8.3.1
- [Qemu-devel] [PULL 01/15] scsi: revert change to scsi_req_cancel_async and add assertions, (continued)
- [Qemu-devel] [PULL 01/15] scsi: revert change to scsi_req_cancel_async and add assertions, Paolo Bonzini, 2016/01/15
- [Qemu-devel] [PULL 04/15] scsi: initialise info object with appropriate size, Paolo Bonzini, 2016/01/15
- [Qemu-devel] [PULL] i386: avoid null pointer dereference, Paolo Bonzini, 2016/01/15
- [Qemu-devel] [PULL 05/15] vmw_pvscsi: x-disable-pcie, x-old-pci-configuration back-compat props are 2.5 specific, Paolo Bonzini, 2016/01/15
- [Qemu-devel] [PULL 07/15] iscsi: send readcapacity10 when readcapacity16 failed, Paolo Bonzini, 2016/01/15
- [Qemu-devel] [PULL 03/15] i386: avoid null pointer dereference, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 12/15] nbd-server: do not check request length except for reads and writes,
Paolo Bonzini <=
[Qemu-devel] [PULL 06/15] qemu-char: delete send_all/recv_all helper methods, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 13/15] nbd-server: do not exit on failed memory allocation, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 10/15] nbd: Split nbd.c, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 09/15] nbd: Always call "close_fn" in nbd_client_new, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 08/15] SCSI device: fix to incomplete QOMify, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 15/15] qemu-char: do not leak QemuMutex when freeing a character device, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 11/15] nbd-server: Coroutine based negotiation, Paolo Bonzini, 2016/01/15
[Qemu-devel] [PULL 14/15] qemu-char: add logfile facility to all chardev backends, Paolo Bonzini, 2016/01/15