From patchwork Fri Apr 8 01:09:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 8779471 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id ADAAEC0553 for ; Fri, 8 Apr 2016 01:11:04 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id ECF4C201B4 for ; Fri, 8 Apr 2016 01:11:03 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AA34B2017E for ; Fri, 8 Apr 2016 01:11:02 +0000 (UTC) Received: from localhost ([::1]:53146 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoKwu-0006zH-N1 for patchwork-qemu-devel@patchwork.kernel.org; Thu, 07 Apr 2016 21:11:00 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43275) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoKwj-0006tn-Gl for qemu-devel@nongnu.org; Thu, 07 Apr 2016 21:10:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aoKwe-0001u6-Gy for qemu-devel@nongnu.org; Thu, 07 Apr 2016 21:10:49 -0400 Received: from resqmta-po-08v.sys.comcast.net ([96.114.154.167]:36501) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoKwe-0001u2-9m for qemu-devel@nongnu.org; Thu, 07 Apr 2016 21:10:44 -0400 Received: from resomta-po-03v.sys.comcast.net ([96.114.154.227]) by comcast with SMTP id oKvDaGcRZ7xvboKvgaYqli; Fri, 08 Apr 2016 01:09:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1460077784; bh=0dRffkYWLsToOHbF36rdcwVRKfMKW/4eVr5/wEfcYSY=; h=Received:Received:From:To:Subject:Date:Message-Id; b=LWFt4a9+Q3/+9dVsyjW3ByBZtm6Xfg7Tnx6ofRF8p6NOswKkO56tZARvu8q5JrGvV 1E6n42RbLgGiyqsUZ5VD235vG+ecyHeCv2MhETOXkdT47vX8ozx/c2y6q2leE0vads OYWxdPxLX8iB7gkFB1sSy1Rya1BmxAM8TnODUP2E9nHpeFoeOEtTVPCtrLFPryis5o 2P3Lup0/kw25zyTevRcoEObuuYU+05o0Bci9VgPzXQgw4Td9ve8FSSzqITuCFAdEwX VpV0NQ5VU2rp37VffatkAso2k21YOEFd9chvmfvJrxb1mAat5HodifZ/iJt7OHqzU7 0C60PuMBtYjSA== Received: from red.redhat.com ([24.10.254.122]) by resomta-po-03v.sys.comcast.net with comcast id fd9g1s00G2fD5rL01d9jcS; Fri, 08 Apr 2016 01:09:44 +0000 From: Eric Blake To: qemu-devel@nongnu.org Date: Thu, 7 Apr 2016 19:09:37 -0600 Message-Id: <1460077777-31004-1-git-send-email-eblake@redhat.com> X-Mailer: git-send-email 2.5.5 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 96.114.154.167 Subject: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, alex@alex.org.uk Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The NBD Protocol states that NBD_REP_SERVER may set 'length > sizeof(namelen) + namelen'; in which case the rest of the packet is a UTF-8 description of the export. While we don't know of any NBD servers that send this description yet, we had better consume the data so we don't choke when we start to talk to such a server. Also, a (buggy/malicious) server that replies with length < sizeof(namelen) would cause us to block waiting for bytes that the server is not sending, and one that replies with super-huge lengths could cause us to temporarily allocate up to 4G memory. Sanity check things before blindly reading incorrectly. Signed-off-by: Eric Blake Reviewed-by: Alex Bligh Reviewed-by: Alex Bligh --- Yet another case of code introduced in 2.6 that doesn't play nicely with spec-compliant servers... Hopefully I've squashed them all now? nbd/client.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/nbd/client.c b/nbd/client.c index 6777e58..48f2a21 100644 --- a/nbd/client.c +++ b/nbd/client.c @@ -192,13 +192,18 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp) return -1; } } else if (type == NBD_REP_SERVER) { + if (len < sizeof(namelen) || len > NBD_MAX_BUFFER_SIZE) { + error_setg(errp, "incorrect option length"); + return -1; + } if (read_sync(ioc, &namelen, sizeof(namelen)) != sizeof(namelen)) { error_setg(errp, "failed to read option name length"); return -1; } namelen = be32_to_cpu(namelen); - if (len != (namelen + sizeof(namelen))) { - error_setg(errp, "incorrect option mame length"); + len -= sizeof(namelen); + if (len < namelen) { + error_setg(errp, "incorrect option name length"); return -1; } if (namelen > 255) { @@ -214,6 +219,20 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp) return -1; } (*name)[namelen] = '\0'; + len -= namelen; + if (len) { + char *buf = g_malloc(len + 1); + if (read_sync(ioc, buf, len) != len) { + error_setg(errp, "failed to read export description"); + g_free(*name); + g_free(buf); + *name = NULL; + return -1; + } + buf[len] = '\0'; + TRACE("Ignoring export description: %s", buf); + g_free(buf); + } } else { error_setg(errp, "Unexpected reply type %x expected %x", type, NBD_REP_SERVER);