From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
vsementsov@virtuozzo.com, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v4 5/8] nbd/server: Include human-readable message in structured errors
Date: Thu, 19 Oct 2017 16:39:26 -0500 [thread overview]
Message-ID: <e7b608d1-0c70-d21e-d191-fa2ecdbdb075@redhat.com> (raw)
In-Reply-To: <20171015010131.12172-6-eblake@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2581 bytes --]
On 10/14/2017 08:01 PM, Eric Blake wrote:
> The NBD spec permits including a human-readable error string if
> structured replies are in force, so we might as well send the
> client the message that we logged on any error.
>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> nbd/server.c | 22 ++++++++++++++++------
> nbd/trace-events | 2 +-
> 2 files changed, 17 insertions(+), 7 deletions(-)
>
> assert(nbd_err);
> - trace_nbd_co_send_structured_error(handle, nbd_err);
> + trace_nbd_co_send_structured_error(handle, nbd_err,
> + nbd_err_lookup(nbd_err), msg);
> set_be_chunk(&chunk.h, NBD_REPLY_FLAG_DONE, NBD_REPLY_TYPE_ERROR, handle,
> sizeof(chunk) - sizeof(chunk.h));
Bug - it's a bad idea to not include the message length in the overall
length, because the client then gets out of sync with the server (it
reads only 6 bytes instead of 6+strlen(msg) bytes, and expects the
message to start with the magic number for the next reply).
> stl_be_p(&chunk.error, nbd_err);
> - stw_be_p(&chunk.message_length, 0);
> + stw_be_p(&chunk.message_length, iov[1].iov_len);
But this also highlights a bug in 9/8, where we have:
> +static int nbd_parse_error_payload(NBDStructuredReplyChunk *chunk,
> + uint8_t *payload, int *request_ret,
> + Error **errp)
> +{
> + uint32_t error;
> + uint16_t message_size;
> +
> + assert(chunk->type & (1 << 15));
> +
> + if (chunk->length < sizeof(error) + sizeof(message_size)) {
> + error_setg(errp,
> + "Protocol error: invalid payload for structured error");
> + return -EINVAL;
> + }
> +
> + error = nbd_errno_to_system_errno(payload_advance32(&payload));
> + if (error == 0) {
> + error_setg(errp, "Protocol error: server sent structured error chunk"
> + "with error = 0");
> + return -EINVAL;
> + }
> +
> + *request_ret = error;
> + message_size = payload_advance16(&payload);
> + error_setg_errno(errp, error, "%.*s", message_size, payload);
Whoops - no sanity check that message_size fits within chunk->length.
So when we read message_length 33 (when the server sends a message 33
bytes long), we are then dereferencing up to 33 bytes of garbage beyond
the end of payload.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]
next prev parent reply other threads:[~2017-10-19 21:39 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-15 1:01 [Qemu-devel] [PATCH v4 0/8] nbd mimimal structured read Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 1/8] nbd: Include error names in trace messages Eric Blake
2017-10-16 8:30 ` Vladimir Sementsov-Ogievskiy
2017-10-16 18:05 ` Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 2/8] nbd: Move nbd_errno_to_system_errno() to public header Eric Blake
2017-10-16 8:33 ` Vladimir Sementsov-Ogievskiy
2017-10-16 12:12 ` Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 3/8] nbd: Expose constants and structs for structured read Eric Blake
2017-10-16 8:49 ` Vladimir Sementsov-Ogievskiy
2017-10-16 12:15 ` Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 4/8] nbd: Minimal structured read for server Eric Blake
2017-10-16 9:49 ` Vladimir Sementsov-Ogievskiy
2017-10-16 12:18 ` Eric Blake
2017-10-16 15:41 ` Eric Blake
2017-10-16 19:29 ` Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 5/8] nbd/server: Include human-readable message in structured errors Eric Blake
2017-10-16 10:59 ` Vladimir Sementsov-Ogievskiy
2017-10-16 12:26 ` Eric Blake
2017-10-19 21:39 ` Eric Blake [this message]
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 6/8] nbd/client: refactor nbd_receive_starttls Eric Blake
2017-10-16 11:09 ` Vladimir Sementsov-Ogievskiy
2017-10-19 19:31 ` Eric Blake
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 7/8] nbd/client: prepare nbd_receive_reply for structured reply Eric Blake
2017-10-16 11:28 ` Vladimir Sementsov-Ogievskiy
2017-10-15 1:01 ` [Qemu-devel] [PATCH v4 8/8] nbd: Move nbd_read() to common header Eric Blake
2017-10-16 11:31 ` Vladimir Sementsov-Ogievskiy
2017-10-17 12:57 ` [Qemu-devel] [PATCH v4 RFC 9/8] nbd: Minimal structured read for client Vladimir Sementsov-Ogievskiy
2017-10-17 21:17 ` Eric Blake
2017-10-19 20:46 ` Eric Blake
2017-10-19 19:06 ` Eric Blake
2017-10-19 19:47 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e7b608d1-0c70-d21e-d191-fa2ecdbdb075@redhat.com \
--to=eblake@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).