From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: libguestfs@redhat.com, vsementsov@yandex-team.ru,
qemu-block@nongnu.org (open list:Network Block Dev...)
Subject: [PATCH v3 02/14] nbd/client: Add safety check on chunk payload length
Date: Mon, 15 May 2023 14:53:31 -0500 [thread overview]
Message-ID: <20230515195343.1915857-3-eblake@redhat.com> (raw)
In-Reply-To: <20230515195343.1915857-1-eblake@redhat.com>
Our existing use of structured replies either reads into a qiov capped
at 32M (NBD_CMD_READ) or caps allocation to 1000 bytes (see
NBD_MAX_MALLOC_PAYLOAD in block/nbd.c). But the existing length
checks are rather late; if we encounter a buggy (or malicious) server
that sends a super-large payload length, we should drop the connection
right then rather than assuming the layer on top will be careful.
This becomes more important when we permit 64-bit lengths which are
even more likely to have the potential for attempted denial of service
abuse.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
nbd/client.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/nbd/client.c b/nbd/client.c
index ff75722e487..46f476400ab 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -1413,6 +1413,18 @@ static int nbd_receive_structured_reply_chunk(QIOChannel *ioc,
chunk->handle = be64_to_cpu(chunk->handle);
chunk->length = be32_to_cpu(chunk->length);
+ /*
+ * Because we use BLOCK_STATUS with REQ_ONE, and cap READ requests
+ * at 32M, no valid server should send us payload larger than
+ * this. Even if we stopped using REQ_ONE, sane servers will cap
+ * the number of extents they return for block status.
+ */
+ if (chunk->length > NBD_MAX_BUFFER_SIZE + sizeof(NBDStructuredReadData)) {
+ error_setg(errp, "server chunk %" PRIu32 " (%s) payload is too long",
+ chunk->type, nbd_rep_lookup(chunk->type));
+ return -EINVAL;
+ }
+
return 0;
}
--
2.40.1
next prev parent reply other threads:[~2023-05-15 19:55 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 19:53 [PATCH v3 00/14] qemu patches for 64-bit NBD extensions Eric Blake
2023-05-15 19:53 ` [PATCH v3 01/14] nbd/client: Use smarter assert Eric Blake
2023-05-29 8:20 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` Eric Blake [this message]
2023-05-29 8:25 ` [PATCH v3 02/14] nbd/client: Add safety check on chunk payload length Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 03/14] nbd/server: Prepare for alternate-size headers Eric Blake
2023-05-29 14:26 ` Vladimir Sementsov-Ogievskiy
2023-05-30 16:29 ` Eric Blake
2023-05-31 7:28 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 04/14] nbd: Prepare for 64-bit request effect lengths Eric Blake
2023-05-30 13:05 ` Vladimir Sementsov-Ogievskiy
2023-05-30 18:23 ` Eric Blake
2023-05-15 19:53 ` [PATCH v3 05/14] nbd: Add types for extended headers Eric Blake
2023-05-30 13:23 ` Vladimir Sementsov-Ogievskiy
2023-05-30 18:22 ` [Libguestfs] " Eric Blake
2023-05-31 7:30 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 06/14] nbd/server: Refactor handling of request payload Eric Blake
2023-05-31 8:04 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 07/14] nbd/server: Refactor to pass full request around Eric Blake
2023-05-31 8:13 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 08/14] nbd/server: Support 64-bit block status Eric Blake
2023-05-31 14:10 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 09/14] nbd/server: Initial support for extended headers Eric Blake
2023-05-31 14:46 ` Vladimir Sementsov-Ogievskiy
2023-06-07 11:39 ` Eric Blake
2023-05-15 19:53 ` [PATCH v3 10/14] nbd/client: " Eric Blake
2023-05-31 15:26 ` Vladimir Sementsov-Ogievskiy
2023-06-07 18:22 ` Eric Blake
2023-05-15 19:53 ` [PATCH v3 11/14] nbd/client: Accept 64-bit block status chunks Eric Blake
2023-05-31 17:00 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 12/14] nbd/client: Request extended headers during negotiation Eric Blake
[not found] ` <1af7f692-b5de-c767-2568-1fc024a57133@yandex-team.ru>
[not found] ` <cqb3yww5ceeinh2pb5nqaljrsllu3ejkjsdueuw32cwcocumsn@okgujto2lzmn>
[not found] ` <cd83b0bc-0e6b-fc94-1cc2-9bf00d516140@yandex-team.ru>
[not found] ` <hbjtjovry4e5kb6oyii4g2hncetfo2uic67r5ipufcikvgyb5x@idenexfxits4>
2023-06-01 8:43 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 13/14] nbd/server: Prepare for per-request filtering of BLOCK_STATUS Eric Blake
2023-06-01 9:57 ` Vladimir Sementsov-Ogievskiy
2023-05-15 19:53 ` [PATCH v3 14/14] nbd/server: Add FLAG_PAYLOAD support to CMD_BLOCK_STATUS Eric Blake
2023-06-02 9:13 ` Vladimir Sementsov-Ogievskiy
2023-06-02 13:14 ` [Libguestfs] " Eric Blake
2023-05-15 21:05 ` [Libguestfs] [PATCH v3 00/14] qemu patches for 64-bit NBD extensions Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230515195343.1915857-3-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=libguestfs@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).