From: Eric Blake <eblake@redhat.com>
To: Alex Bligh <alex@alex.org.uk>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions
Date: Fri, 8 Apr 2016 07:52:15 -0600 [thread overview]
Message-ID: <5707B78F.5050104@redhat.com> (raw)
In-Reply-To: <D759FB98-6D97-4DBE-B514-3EDE80E55D12@alex.org.uk>
[-- Attachment #1: Type: text/plain, Size: 1697 bytes --]
On 04/07/2016 11:51 PM, Alex Bligh wrote:
>
> On 8 Apr 2016, at 02:09, Eric Blake <eblake@redhat.com> wrote:
>
>> The NBD Protocol states that NBD_REP_SERVER may set
>> 'length > sizeof(namelen) + namelen'; in which case the rest
>> of the packet is a UTF-8 description of the export. While we
>> don't know of any NBD servers that send this description yet,
>> we had better consume the data so we don't choke when we start
>> to talk to such a server.
>>
>> Also, a (buggy/malicious) server that replies with length <
>> sizeof(namelen) would cause us to block waiting for bytes that
>> the server is not sending, and one that replies with super-huge
>> lengths could cause us to temporarily allocate up to 4G memory.
>> Sanity check things before blindly reading incorrectly.
>>
>> Signed-off-by: Eric Blake <eblake@redhat.com>
>> ---
>> + if (len < namelen) {
>> + error_setg(errp, "incorrect option name length");
>> return -1;
>> }
>> if (namelen > 255) {
>
> Shouldn't that be 4096? You are after all reading up to NBD_MAX_BUFFER_SIZE (32K) of data just earlier.
>
NBD_MAX_BUFFER_SIZE is actually 32M, not 32k.
> Not technically the bug you are trying to fix, so
And yes, I need to do a much bigger scrub of qemu code, both client and
server, to allow export names longer than 255, up to the
just-barely-documented 4096 maximum in the NBD protocol. But you are
right that such an audit is separate from this immediate fix.
>
> Reviewed-by: Alex Bligh <alex@alex.org.uk>
Thanks.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
next prev parent reply other threads:[~2016-04-08 13:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-08 1:09 [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions Eric Blake
2016-04-08 5:51 ` Alex Bligh
2016-04-08 13:52 ` Eric Blake [this message]
2016-04-14 15:26 ` Eric Blake
2016-04-14 15:46 ` Alex Bligh
2016-04-14 21:31 ` Max Reitz
2016-04-14 22:07 ` Eric Blake
2016-04-14 22:21 ` Max Reitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5707B78F.5050104@redhat.com \
--to=eblake@redhat.com \
--cc=alex@alex.org.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.