[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LI

From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions
Date: Fri, 8 Apr 2016 07:52:15 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1

On 04/07/2016 11:51 PM, Alex Bligh wrote:
> On 8 Apr 2016, at 02:09, Eric Blake <address@hidden> wrote:
>> The NBD Protocol states that NBD_REP_SERVER may set
>> 'length > sizeof(namelen) + namelen'; in which case the rest
>> of the packet is a UTF-8 description of the export.  While we
>> don't know of any NBD servers that send this description yet,
>> we had better consume the data so we don't choke when we start
>> to talk to such a server.
>> Also, a (buggy/malicious) server that replies with length <
>> sizeof(namelen) would cause us to block waiting for bytes that
>> the server is not sending, and one that replies with super-huge
>> lengths could cause us to temporarily allocate up to 4G memory.
>> Sanity check things before blindly reading incorrectly.
>> Signed-off-by: Eric Blake <address@hidden>
>> ---

>> +        if (len < namelen) {
>> +            error_setg(errp, "incorrect option name length");
>>             return -1;
>>         }
>>         if (namelen > 255) {
> Shouldn't that be 4096? You are after all reading up to NBD_MAX_BUFFER_SIZE 
> (32K) of data just earlier.

NBD_MAX_BUFFER_SIZE is actually 32M, not 32k.

> Not technically the bug you are trying to fix, so

And yes, I need to do a much bigger scrub of qemu code, both client and
server, to allow export names longer than 255, up to the
just-barely-documented 4096 maximum in the NBD protocol.  But you are
right that such an audit is separate from this immediate fix.

> Reviewed-by: Alex Bligh <address@hidden>


Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]