qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 12/15] nbd-server: do not check request length except


From: Paolo Bonzini
Subject: [Qemu-devel] [PULL 12/15] nbd-server: do not check request length except for reads and writes
Date: Fri, 15 Jan 2016 17:04:28 +0100

Only reads and writes need to allocate memory correspondent to the
request length.  Other requests can be sent to the storage without
allocating any memory, and thus any request length is acceptable.

Reported-by: Sitsofe Wheeler <address@hidden>
Cc: address@hidden
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 nbd/server.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 8752885..c41af0d 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -818,13 +818,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, 
struct nbd_request *reque
         goto out;
     }
 
-    if (request->len > NBD_MAX_BUFFER_SIZE) {
-        LOG("len (%u) is larger than max len (%u)",
-            request->len, NBD_MAX_BUFFER_SIZE);
-        rc = -EINVAL;
-        goto out;
-    }
-
     if ((request->from + request->len) < request->from) {
         LOG("integer overflow detected! "
             "you're probably being attacked");
@@ -836,6 +829,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, 
struct nbd_request *reque
 
     command = request->type & NBD_CMD_MASK_COMMAND;
     if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
+        if (request->len > NBD_MAX_BUFFER_SIZE) {
+            LOG("len (%u) is larger than max len (%u)",
+                request->len, NBD_MAX_BUFFER_SIZE);
+            rc = -EINVAL;
+            goto out;
+        }
+
         req->data = blk_blockalign(client->exp->blk, request->len);
     }
     if (command == NBD_CMD_WRITE) {
-- 
1.8.3.1





reply via email to

[Prev in Thread] Current Thread [Next in Thread]