From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60118) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoWpi-0006oX-Hh for qemu-devel@nongnu.org; Fri, 08 Apr 2016 09:52:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aoWpe-00009y-1o for qemu-devel@nongnu.org; Fri, 08 Apr 2016 09:52:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59267) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoWpd-00009k-Q9 for qemu-devel@nongnu.org; Fri, 08 Apr 2016 09:52:17 -0400 References: <1460077777-31004-1-git-send-email-eblake@redhat.com> From: Eric Blake Message-ID: <5707B78F.5050104@redhat.com> Date: Fri, 8 Apr 2016 07:52:15 -0600 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vFlbimnuhgu3Ll9AvqA5RVCBivvt786FI" Subject: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on NBD_OPT_LIST descriptions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alex Bligh Cc: "qemu-devel@nongnu.org" , Paolo Bonzini This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vFlbimnuhgu3Ll9AvqA5RVCBivvt786FI Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/07/2016 11:51 PM, Alex Bligh wrote: >=20 > On 8 Apr 2016, at 02:09, Eric Blake wrote: >=20 >> The NBD Protocol states that NBD_REP_SERVER may set >> 'length > sizeof(namelen) + namelen'; in which case the rest >> of the packet is a UTF-8 description of the export. While we >> don't know of any NBD servers that send this description yet, >> we had better consume the data so we don't choke when we start >> to talk to such a server. >> >> Also, a (buggy/malicious) server that replies with length < >> sizeof(namelen) would cause us to block waiting for bytes that >> the server is not sending, and one that replies with super-huge >> lengths could cause us to temporarily allocate up to 4G memory. >> Sanity check things before blindly reading incorrectly. >> >> Signed-off-by: Eric Blake >> --- >> + if (len < namelen) { >> + error_setg(errp, "incorrect option name length"); >> return -1; >> } >> if (namelen > 255) { >=20 > Shouldn't that be 4096? You are after all reading up to NBD_MAX_BUFFER_= SIZE (32K) of data just earlier. >=20 NBD_MAX_BUFFER_SIZE is actually 32M, not 32k. > Not technically the bug you are trying to fix, so And yes, I need to do a much bigger scrub of qemu code, both client and server, to allow export names longer than 255, up to the just-barely-documented 4096 maximum in the NBD protocol. But you are right that such an audit is separate from this immediate fix. >=20 > Reviewed-by: Alex Bligh Thanks. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --vFlbimnuhgu3Ll9AvqA5RVCBivvt786FI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXB7ePAAoJEKeha0olJ0NqnsQH/RoraPgUHdvnGlCLST/vEHak x43nU2GxaRBKiWvRMHchhnMsYaE8tkqkvyMk5h+w75b19HIWijjXR63iny+f9h+O MoJZp7sr3+O1jkLKbGLLSLvQT/Fte6Znm77f/CrqWpQuzY1g1+eeUox2HWl5S4nZ TX/hn6mP/w/8CBAa2izzDx9Vv5BIHaxZ8KbXp66a567rJ/0vgNhCPQ7D8piEoHgs edk/NxJ2SnQvKCDSFMf34i634OvzA7yFju7Gs+3pXvW/ZdUGibmBT9Zdn0TJkWjF fd3otW7UAnBLX5rfyqF4mkb/ws5ngHipz5TnFAeInPkZ2qaEKD+Prjf5wJ4xeZ0= =pz3x -----END PGP SIGNATURE----- --vFlbimnuhgu3Ll9AvqA5RVCBivvt786FI--