[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LI
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions |
Date: |
Fri, 8 Apr 2016 07:52:15 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 |
On 04/07/2016 11:51 PM, Alex Bligh wrote:
>
> On 8 Apr 2016, at 02:09, Eric Blake <address@hidden> wrote:
>
>> The NBD Protocol states that NBD_REP_SERVER may set
>> 'length > sizeof(namelen) + namelen'; in which case the rest
>> of the packet is a UTF-8 description of the export. While we
>> don't know of any NBD servers that send this description yet,
>> we had better consume the data so we don't choke when we start
>> to talk to such a server.
>>
>> Also, a (buggy/malicious) server that replies with length <
>> sizeof(namelen) would cause us to block waiting for bytes that
>> the server is not sending, and one that replies with super-huge
>> lengths could cause us to temporarily allocate up to 4G memory.
>> Sanity check things before blindly reading incorrectly.
>>
>> Signed-off-by: Eric Blake <address@hidden>
>> ---
>> + if (len < namelen) {
>> + error_setg(errp, "incorrect option name length");
>> return -1;
>> }
>> if (namelen > 255) {
>
> Shouldn't that be 4096? You are after all reading up to NBD_MAX_BUFFER_SIZE
> (32K) of data just earlier.
>
NBD_MAX_BUFFER_SIZE is actually 32M, not 32k.
> Not technically the bug you are trying to fix, so
And yes, I need to do a much bigger scrub of qemu code, both client and
server, to allow export names longer than 255, up to the
just-barely-documented 4096 maximum in the NBD protocol. But you are
right that such an audit is separate from this immediate fix.
>
> Reviewed-by: Alex Bligh <address@hidden>
Thanks.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature