From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
Max Reitz <mreitz@redhat.com>,
"open list:Network Block Dev..." <qemu-block@nongnu.org>,
Maxim Levitsky <mlevitsk@redhat.com>
Subject: [PULL 03/10] nbd/server: Prefer heap over stack for parsing client names
Date: Mon, 18 Nov 2019 21:07:52 -0600 [thread overview]
Message-ID: <20191119030759.24907-4-eblake@redhat.com> (raw)
In-Reply-To: <20191119030759.24907-1-eblake@redhat.com>
As long as we limit NBD names to 256 bytes (the bare minimum permitted
by the standard), stack-allocation works for parsing a name received
from the client. But as mentioned in a comment, we eventually want to
permit up to the 4k maximum of the NBD standard, which is too large
for stack allocation; so switch everything in the server to use heap
allocation. For now, there is no change in actually supported name
length.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20191114024635.11363-2-eblake@redhat.com>
[eblake: fix uninit variable compile failure]
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---
include/block/nbd.h | 10 +++++-----
nbd/server.c | 25 +++++++++++++++----------
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 316fd705a9e4..c306423dc85c 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -226,11 +226,11 @@ enum {
/* Maximum size of a single READ/WRITE data buffer */
#define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
-/* Maximum size of an export name. The NBD spec requires 256 and
- * suggests that servers support up to 4096, but we stick to only the
- * required size so that we can stack-allocate the names, and because
- * going larger would require an audit of more code to make sure we
- * aren't overflowing some other buffer. */
+/*
+ * Maximum size of an export name. The NBD spec requires a minimum of
+ * 256 and recommends that servers support up to 4096; all users use
+ * malloc so we can bump this constant without worry.
+ */
#define NBD_MAX_NAME_SIZE 256
/* Two types of reply structures */
diff --git a/nbd/server.c b/nbd/server.c
index d8d1e6245532..6bbeb98f8237 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -324,18 +324,20 @@ static int nbd_opt_skip(NBDClient *client, size_t size, Error **errp)
* uint32_t len (<= NBD_MAX_NAME_SIZE)
* len bytes string (not 0-terminated)
*
- * @name should be enough to store NBD_MAX_NAME_SIZE+1.
+ * On success, @name will be allocated.
* If @length is non-null, it will be set to the actual string length.
*
* Return -errno on I/O error, 0 if option was completely handled by
* sending a reply about inconsistent lengths, or 1 on success.
*/
-static int nbd_opt_read_name(NBDClient *client, char *name, uint32_t *length,
+static int nbd_opt_read_name(NBDClient *client, char **name, uint32_t *length,
Error **errp)
{
int ret;
uint32_t len;
+ g_autofree char *local_name = NULL;
+ *name = NULL;
ret = nbd_opt_read(client, &len, sizeof(len), errp);
if (ret <= 0) {
return ret;
@@ -347,15 +349,17 @@ static int nbd_opt_read_name(NBDClient *client, char *name, uint32_t *length,
"Invalid name length: %" PRIu32, len);
}
- ret = nbd_opt_read(client, name, len, errp);
+ local_name = g_malloc(len + 1);
+ ret = nbd_opt_read(client, local_name, len, errp);
if (ret <= 0) {
return ret;
}
- name[len] = '\0';
+ local_name[len] = '\0';
if (length) {
*length = len;
}
+ *name = g_steal_pointer(&local_name);
return 1;
}
@@ -427,7 +431,7 @@ static void nbd_check_meta_export(NBDClient *client)
static int nbd_negotiate_handle_export_name(NBDClient *client, bool no_zeroes,
Error **errp)
{
- char name[NBD_MAX_NAME_SIZE + 1];
+ g_autofree char *name = NULL;
char buf[NBD_REPLY_EXPORT_NAME_SIZE] = "";
size_t len;
int ret;
@@ -441,10 +445,11 @@ static int nbd_negotiate_handle_export_name(NBDClient *client, bool no_zeroes,
[10 .. 133] reserved (0) [unless no_zeroes]
*/
trace_nbd_negotiate_handle_export_name();
- if (client->optlen >= sizeof(name)) {
+ if (client->optlen > NBD_MAX_NAME_SIZE) {
error_setg(errp, "Bad length received");
return -EINVAL;
}
+ name = g_malloc(client->optlen + 1);
if (nbd_read(client->ioc, name, client->optlen, "export name", errp) < 0) {
return -EIO;
}
@@ -533,7 +538,7 @@ static int nbd_reject_length(NBDClient *client, bool fatal, Error **errp)
static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
{
int rc;
- char name[NBD_MAX_NAME_SIZE + 1];
+ g_autofree char *name = NULL;
NBDExport *exp;
uint16_t requests;
uint16_t request;
@@ -551,7 +556,7 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
2 bytes: N, number of requests (can be 0)
N * 2 bytes: N requests
*/
- rc = nbd_opt_read_name(client, name, &namelen, errp);
+ rc = nbd_opt_read_name(client, &name, &namelen, errp);
if (rc <= 0) {
return rc;
}
@@ -957,7 +962,7 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
NBDExportMetaContexts *meta, Error **errp)
{
int ret;
- char export_name[NBD_MAX_NAME_SIZE + 1];
+ g_autofree char *export_name = NULL;
NBDExportMetaContexts local_meta;
uint32_t nb_queries;
int i;
@@ -976,7 +981,7 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
memset(meta, 0, sizeof(*meta));
- ret = nbd_opt_read_name(client, export_name, NULL, errp);
+ ret = nbd_opt_read_name(client, &export_name, NULL, errp);
if (ret <= 0) {
return ret;
}
--
2.21.0
next prev parent reply other threads:[~2019-11-19 3:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 3:07 [PULL 00/10] NBD patches for 2019-11-19 for 4.2-rc2 Eric Blake
2019-11-19 3:07 ` [PULL 01/10] iotests: Test NBD client reconnection Eric Blake
2019-11-19 3:07 ` [PULL 02/10] qemu-coroutine-sleep: Silence Coverity warning Eric Blake
2019-11-19 3:07 ` Eric Blake [this message]
2019-11-19 3:07 ` [PULL 04/10] bitmap: Enforce maximum bitmap name length Eric Blake
2019-11-19 3:07 ` [PULL 05/10] nbd: Don't send oversize strings Eric Blake
2019-11-19 3:07 ` [PULL 06/10] MAINTAINERS: add more bitmap-related to Dirty Bitmaps section Eric Blake
2019-11-19 3:07 ` [PULL 07/10] iotests: Fix 173 Eric Blake
2019-11-19 3:07 ` [PULL 08/10] iotests: Switch nbd tests to use Unix rather than TCP Eric Blake
2019-11-19 3:07 ` [PULL 09/10] iotests: Include QMP input in .out files Eric Blake
2019-11-19 3:07 ` [PULL 10/10] tests: More iotest 223 improvements Eric Blake
2019-11-19 11:28 ` [PULL 00/10] NBD patches for 2019-11-19 for 4.2-rc2 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191119030759.24907-4-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).