Message ID | 1460153158-21612-6-git-send-email-eblake@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 8 Apr 2016, at 23:05, Eric Blake <eblake@redhat.com> wrote: > The NBD protocol says that clients should not send a command flag > that has not been negotiated (whether by the client requesting an > option during a handshake, or because we advertise support for the > flag in response to NBD_OPT_EXPORT_NAME), and that servers should > reject invalid flags with EINVAL. We were silently ignoring the > flags instead. The client can't rely on our behavior, since it is > their fault for passing the bad flag in the first place, but it's > better to be robust up front than to possibly behave differently > than the client was expecting with the attempted flag. > > Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Alex Bligh <alex@alex.org.uk> > --- > nbd/server.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/nbd/server.c b/nbd/server.c > index 81afae2..a10294e 100644 > --- a/nbd/server.c > +++ b/nbd/server.c > @@ -984,6 +984,11 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque > goto out; > } > > + if (request->type & ~NBD_CMD_MASK_COMMAND & ~NBD_CMD_FLAG_FUA) { > + LOG("unsupported flags (got 0x%x)", > + request->type & ~NBD_CMD_MASK_COMMAND); > + return -EINVAL; > + } > if ((request->from + request->len) < request->from) { > LOG("integer overflow detected! " > "you're probably being attacked"); > -- > 2.5.5 > >
diff --git a/nbd/server.c b/nbd/server.c index 81afae2..a10294e 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -984,6 +984,11 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque goto out; } + if (request->type & ~NBD_CMD_MASK_COMMAND & ~NBD_CMD_FLAG_FUA) { + LOG("unsupported flags (got 0x%x)", + request->type & ~NBD_CMD_MASK_COMMAND); + return -EINVAL; + } if ((request->from + request->len) < request->from) { LOG("integer overflow detected! " "you're probably being attacked");
The NBD protocol says that clients should not send a command flag that has not been negotiated (whether by the client requesting an option during a handshake, or because we advertise support for the flag in response to NBD_OPT_EXPORT_NAME), and that servers should reject invalid flags with EINVAL. We were silently ignoring the flags instead. The client can't rely on our behavior, since it is their fault for passing the bad flag in the first place, but it's better to be robust up front than to possibly behave differently than the client was expecting with the attempted flag. Signed-off-by: Eric Blake <eblake@redhat.com> --- nbd/server.c | 5 +++++ 1 file changed, 5 insertions(+)