From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
vsementsov@virtuozzo.com,
"open list:Network Block Dev..." <qemu-block@nongnu.org>,
Max Reitz <mreitz@redhat.com>
Subject: [PATCH] nbd: Don't let client send oversize strings
Date: Fri, 27 Sep 2019 23:13:01 -0500 [thread overview]
Message-ID: <20190928041301.16296-1-eblake@redhat.com> (raw)
Qemu as server currently won't accept export names larger than 256
bytes, so most uses of qemu as client have no reason to get anywhere
near the NBD spec maximum of a 4k limit per string. However, we
didn't actually have any code that prevented the client from violating
the protocol, which, while useful for testing corner-case server
reactions, is probably not ideal.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
include/block/nbd.h | 1 +
nbd/client.c | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 316fd705a9e4..fcabdf0f37c3 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -232,6 +232,7 @@ enum {
* going larger would require an audit of more code to make sure we
* aren't overflowing some other buffer. */
#define NBD_MAX_NAME_SIZE 256
+#define NBD_MAX_STRING_SIZE 4096
/* Two types of reply structures */
#define NBD_SIMPLE_REPLY_MAGIC 0x67446698
diff --git a/nbd/client.c b/nbd/client.c
index f6733962b49b..3f21722dd914 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -648,6 +648,10 @@ static int nbd_send_meta_query(QIOChannel *ioc, uint32_t opt,
if (query) {
query_len = strlen(query);
data_len += sizeof(query_len) + query_len;
+ if (query_len > NBD_MAX_STRING_SIZE) {
+ error_setg(errp, "x_dirty_bitmap query too long to send to server");
+ return -1;
+ }
} else {
assert(opt == NBD_OPT_LIST_META_CONTEXT);
}
@@ -1010,6 +1014,10 @@ int nbd_receive_negotiate(AioContext *aio_context, QIOChannel *ioc,
bool base_allocation = info->base_allocation;
assert(info->name);
+ if (strlen(info->name) > NBD_MAX_STRING_SIZE) {
+ error_setg(errp, "name too long to send to server");
+ return -EINVAL;
+ }
trace_nbd_receive_negotiate_name(info->name);
result = nbd_start_negotiate(aio_context, ioc, tlscreds, hostname, outioc,
--
2.21.0
next reply other threads:[~2019-09-28 4:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-28 4:13 Eric Blake [this message]
2019-09-29 18:49 ` [PATCH] nbd: Don't let client send oversize strings Maxim Levitsky
2019-10-09 15:30 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190928041301.16296-1-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.