Commit 844496f3 authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2017-11-28' into staging 



nbd patches for 2017-11-28

Eric Blake - 0/2 fix two NBD server CVEs

# gpg: Signature made Tue 28 Nov 2017 12:58:29 GMT
# gpg:                using RSA key 0xA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>"
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
# gpg:                 aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2017-11-28:
  nbd/server: CVE-2017-15118 Stack smash on large export name
  nbd/server: CVE-2017-15119 Reject options larger than 32M

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents a914f04c 51ae4f84

nbd/server.c

+10 −0
Original line number Diff line number Diff line
@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, 
        msg = "name length is incorrect";

        goto invalid;

    }

    if (namelen >= sizeof(name)) {

        msg = "name too long for qemu";

        goto invalid;

    }

    if (nbd_read(client->ioc, name, namelen, errp) < 0) {

        return -EIO;

    }
@@ -673,6 +677,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags, 
        }

        length = be32_to_cpu(length);



        if (length > NBD_MAX_BUFFER_SIZE) {

            error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)",

                       length, NBD_MAX_BUFFER_SIZE);

            return -EINVAL;

        }



        trace_nbd_negotiate_options_check_option(option,

                                                 nbd_opt_lookup(option));

        if (client->tlscreds &&