From patchwork Fri Apr 8 22:05:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 8786431 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E45D29F71A for ; Fri, 8 Apr 2016 22:06:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 5346A2035B for ; Fri, 8 Apr 2016 22:06:39 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8BB20202EC for ; Fri, 8 Apr 2016 22:06:38 +0000 (UTC) Received: from localhost ([::1]:58514 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoeY1-0001so-H4 for patchwork-qemu-devel@patchwork.kernel.org; Fri, 08 Apr 2016 18:06:37 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56158) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoeXl-0001o9-SS for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aoeXk-0007Sk-3o for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45519) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoeXj-0007Sf-VF for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:20 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A7FF77AEAC; Fri, 8 Apr 2016 22:06:19 +0000 (UTC) Received: from red.redhat.com (ovpn-113-199.phx2.redhat.com [10.3.113.199]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u38M67UB029137; Fri, 8 Apr 2016 18:06:19 -0400 From: Eric Blake To: qemu-devel@nongnu.org Date: Fri, 8 Apr 2016 16:05:45 -0600 Message-Id: <1460153158-21612-6-git-send-email-eblake@redhat.com> In-Reply-To: <1460153158-21612-1-git-send-email-eblake@redhat.com> References: <1460153158-21612-1-git-send-email-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 05/18] nbd: Reject unknown request flags X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , alex@alex.org.uk Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The NBD protocol says that clients should not send a command flag that has not been negotiated (whether by the client requesting an option during a handshake, or because we advertise support for the flag in response to NBD_OPT_EXPORT_NAME), and that servers should reject invalid flags with EINVAL. We were silently ignoring the flags instead. The client can't rely on our behavior, since it is their fault for passing the bad flag in the first place, but it's better to be robust up front than to possibly behave differently than the client was expecting with the attempted flag. Signed-off-by: Eric Blake Reviewed-by: Alex Bligh --- nbd/server.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nbd/server.c b/nbd/server.c index 81afae2..a10294e 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -984,6 +984,11 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque goto out; } + if (request->type & ~NBD_CMD_MASK_COMMAND & ~NBD_CMD_FLAG_FUA) { + LOG("unsupported flags (got 0x%x)", + request->type & ~NBD_CMD_MASK_COMMAND); + return -EINVAL; + } if ((request->from + request->len) < request->from) { LOG("integer overflow detected! " "you're probably being attacked");