Commit 29c838cd authored by Peter Lieven's avatar Peter Lieven Committed by Stefan Hajnoczi
Browse files

block/nfs: limit maximum readahead size to 1MB 



a malicious caller could otherwise specify a very
large value via the URI and force libnfs to allocate
a large amount of memory for the readahead buffer.

Cc: qemu-stable@nongnu.org
Signed-off-by: default avatarPeter Lieven <pl@kamp.de>
Message-id: 1435317241-25585-1-git-send-email-pl@kamp.de
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent 9049736e

block/nfs.c

+7 −0
Original line number Diff line number Diff line
@@ -35,6 +35,8 @@ 
#include "sysemu/sysemu.h"

#include <nfsc/libnfs.h>



#define QEMU_NFS_MAX_READAHEAD_SIZE 1048576



typedef struct NFSClient {

    struct nfs_context *context;

    struct nfsfh *fh;
@@ -327,6 +329,11 @@ static int64_t nfs_client_open(NFSClient *client, const char *filename, 
            nfs_set_tcp_syncnt(client->context, val);

#ifdef LIBNFS_FEATURE_READAHEAD

        } else if (!strcmp(qp->p[i].name, "readahead")) {

            if (val > QEMU_NFS_MAX_READAHEAD_SIZE) {

                error_report("NFS Warning: Truncating NFS readahead"

                             " size to %d", QEMU_NFS_MAX_READAHEAD_SIZE);

                val = QEMU_NFS_MAX_READAHEAD_SIZE;

            }

            nfs_set_readahead(client->context, val);

#endif

        } else {