[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 01/15] nbd/client: Add safety check on chunk payload length
From: |
Eric Blake |
Subject: |
[PATCH v2 01/15] nbd/client: Add safety check on chunk payload length |
Date: |
Mon, 14 Nov 2022 16:48:34 -0600 |
Our existing use of structured replies either reads into a qiov capped
at 32M (NBD_CMD_READ) or caps allocation to 1000 bytes (see
NBD_MAX_MALLOC_PAYLOAD in block/nbd.c). But the existing length
checks are rather late; if we encounter a buggy (or malicious) server
that sends a super-large payload length, we should drop the connection
right then rather than assuming the layer on top will be careful.
This becomes more important when we permit 64-bit lengths which are
even more likely to have the potential for attempted denial of service
abuse.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
nbd/client.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/nbd/client.c b/nbd/client.c
index 90a6b7b38b..cd97a2aa09 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -1412,6 +1412,18 @@ static int nbd_receive_structured_reply_chunk(QIOChannel
*ioc,
chunk->handle = be64_to_cpu(chunk->handle);
chunk->length = be32_to_cpu(chunk->length);
+ /*
+ * Because we use BLOCK_STATUS with REQ_ONE, and cap READ requests
+ * at 32M, no valid server should send us payload larger than
+ * this. Even if we stopped using REQ_ONE, sane servers will cap
+ * the number of extents they return for block status.
+ */
+ if (chunk->length > NBD_MAX_BUFFER_SIZE + sizeof(NBDStructuredReadData)) {
+ error_setg(errp, "server chunk %" PRIu32 " (%s) payload is too long",
+ chunk->type, nbd_rep_lookup(chunk->type));
+ return -EINVAL;
+ }
+
return 0;
}
--
2.38.1
- [PATCH v2 06/15] nbd/server: Refactor to pass full request around, (continued)
- [PATCH v2 06/15] nbd/server: Refactor to pass full request around, Eric Blake, 2022/11/14
- [PATCH v2 12/15] nbd/server: Prepare for per-request filtering of BLOCK_STATUS, Eric Blake, 2022/11/14
- [PATCH v2 04/15] nbd: Add types for extended headers, Eric Blake, 2022/11/14
- [PATCH v2 15/15] RFC: nbd/server: Send 64-bit hole chunk, Eric Blake, 2022/11/14
- [PATCH v2 13/15] nbd/server: Add FLAG_PAYLOAD support to CMD_BLOCK_STATUS, Eric Blake, 2022/11/14
- [PATCH v2 09/15] nbd/client: Initial support for extended headers, Eric Blake, 2022/11/14
- [PATCH v2 10/15] nbd/client: Accept 64-bit block status chunks, Eric Blake, 2022/11/14
- [PATCH v2 08/15] nbd/server: Support 64-bit block status, Eric Blake, 2022/11/14
- [PATCH v2 07/15] nbd/server: Initial support for extended headers, Eric Blake, 2022/11/14
- [PATCH v2 11/15] nbd/client: Request extended headers during negotiation, Eric Blake, 2022/11/14
- [PATCH v2 01/15] nbd/client: Add safety check on chunk payload length,
Eric Blake <=
- [PATCH v2 03/15] nbd: Prepare for 64-bit request effect lengths, Eric Blake, 2022/11/14
- [PATCH v2 14/15] RFC: nbd/client: Accept 64-bit hole chunks, Eric Blake, 2022/11/14
- [PATCH v2 05/15] nbd/server: Refactor handling of request payload, Eric Blake, 2022/11/14
- [PATCH v2 02/15] nbd/server: Prepare for alternate-size headers, Eric Blake, 2022/11/14
- [PATCH v2 0/6] NBD spec changes for 64-bit extensions, Eric Blake, 2022/11/14
- [PATCH v2 3/6] spec: Add NBD_OPT_EXTENDED_HEADERS, Eric Blake, 2022/11/14
- [PATCH v2 1/6] spec: Recommend cap on NBD_REPLY_TYPE_BLOCK_STATUS length, Eric Blake, 2022/11/14
- [PATCH v2 5/6] spec: Introduce NBD_FLAG_BLOCK_STATUS_PAYLOAD, Eric Blake, 2022/11/14
- [PATCH v2 6/6] RFC: spec: Introduce NBD_REPLY_TYPE_OFFSET_HOLE_EXT, Eric Blake, 2022/11/14
- [PATCH v2 4/6] spec: Allow 64-bit block status results, Eric Blake, 2022/11/14