From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59817)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aqj9z-0001vi-Dq
	for qemu-devel@nongnu.org; Thu, 14 Apr 2016 11:26:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aqj9y-0001Rx-CG
	for qemu-devel@nongnu.org; Thu, 14 Apr 2016 11:26:23 -0400
References: <1460077777-31004-1-git-send-email-eblake@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <570FB69A.1000703@redhat.com>
Date: Thu, 14 Apr 2016 09:26:18 -0600
MIME-Version: 1.0
In-Reply-To: <1460077777-31004-1-git-send-email-eblake@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="flUdBFmgacNNFkWLqlHlSx3UjxhoqGA8o"
Subject: Re: [Qemu-devel] [PATCH for-2.6] nbd: Don't fail handshake on
 NBD_OPT_LIST descriptions
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, alex@alex.org.uk, qemu block <qemu-block@nongnu.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--flUdBFmgacNNFkWLqlHlSx3UjxhoqGA8o
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[adding qemu-block in cc, since Paolo can't send pull request]

On 04/07/2016 07:09 PM, Eric Blake wrote:
> The NBD Protocol states that NBD_REP_SERVER may set
> 'length > sizeof(namelen) + namelen'; in which case the rest
> of the packet is a UTF-8 description of the export.  While we
> don't know of any NBD servers that send this description yet,
> we had better consume the data so we don't choke when we start
> to talk to such a server.
>=20
> Also, a (buggy/malicious) server that replies with length <
> sizeof(namelen) would cause us to block waiting for bytes that
> the server is not sending, and one that replies with super-huge
> lengths could cause us to temporarily allocate up to 4G memory.
> Sanity check things before blindly reading incorrectly.
>=20
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
>=20
> Yet another case of code introduced in 2.6 that doesn't play
> nicely with spec-compliant servers...
>=20
> Hopefully I've squashed them all now?
>=20
>  nbd/client.c | 23 +++++++++++++++++++++--
>  1 file changed, 21 insertions(+), 2 deletions(-)
>=20
> diff --git a/nbd/client.c b/nbd/client.c
> index 6777e58..48f2a21 100644
> --- a/nbd/client.c
> +++ b/nbd/client.c
> @@ -192,13 +192,18 @@ static int nbd_receive_list(QIOChannel *ioc, char=
 **name, Error **errp)
>              return -1;
>          }
>      } else if (type =3D=3D NBD_REP_SERVER) {
> +        if (len < sizeof(namelen) || len > NBD_MAX_BUFFER_SIZE) {
> +            error_setg(errp, "incorrect option length");
> +            return -1;
> +        }
>          if (read_sync(ioc, &namelen, sizeof(namelen)) !=3D sizeof(name=
len)) {
>              error_setg(errp, "failed to read option name length");
>              return -1;
>          }
>          namelen =3D be32_to_cpu(namelen);
> -        if (len !=3D (namelen + sizeof(namelen))) {
> -            error_setg(errp, "incorrect option mame length");
> +        len -=3D sizeof(namelen);
> +        if (len < namelen) {
> +            error_setg(errp, "incorrect option name length");
>              return -1;
>          }
>          if (namelen > 255) {
> @@ -214,6 +219,20 @@ static int nbd_receive_list(QIOChannel *ioc, char =
**name, Error **errp)
>              return -1;
>          }
>          (*name)[namelen] =3D '\0';
> +        len -=3D namelen;
> +        if (len) {
> +            char *buf =3D g_malloc(len + 1);
> +            if (read_sync(ioc, buf, len) !=3D len) {
> +                error_setg(errp, "failed to read export description");=

> +                g_free(*name);
> +                g_free(buf);
> +                *name =3D NULL;
> +                return -1;
> +            }
> +            buf[len] =3D '\0';
> +            TRACE("Ignoring export description: %s", buf);
> +            g_free(buf);
> +        }
>      } else {
>          error_setg(errp, "Unexpected reply type %x expected %x",
>                     type, NBD_REP_SERVER);
>=20

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--flUdBFmgacNNFkWLqlHlSx3UjxhoqGA8o
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXD7aaAAoJEKeha0olJ0Nqu+YH/AgoBCbQhFbE7ArE1NgyCxZy
hWxc5m9cdDtjo/Qbq1i3DDiV4leuXdNKkDgdbx2iMowMZfggGQ7LWpILDNezCb+L
AXg9W4aDnSlPLlZhcHNZ4JPFpLBvYSFUg1bR2BXAlDCuXhtMs1rxwyYBxFRv7Ypc
GABUQuVmgOnn3bNgm7iDREkQUOis7EkM/CgsSX+E0ci/BKdVOPl1i2VubSq57WEw
eKvf0vh50iEFAlshVdCpEIikja0Yc7o3Bx1U/Ai5uSUG3GKKFWsEfhhY0hCwoNm/
GKd7iYKYbHA8KvRVG7twUtaF7XsjTr5m+MuJffH0Ah0fZ6IeyKlUduW0kHY1mBY=
=X89b
-----END PGP SIGNATURE-----

--flUdBFmgacNNFkWLqlHlSx3UjxhoqGA8o--