Commit eb38c3b6 authored by Paolo Bonzini's avatar Paolo Bonzini
Browse files

nbd-server: do not check request length except for reads and writes 



Only reads and writes need to allocate memory correspondent to the
request length.  Other requests can be sent to the storage without
allocating any memory, and thus any request length is acceptable.

Reported-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
Cc: qemu-block@nongnu.org
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 1a6245a5

nbd/server.c

+7 −7
Original line number Diff line number Diff line
@@ -818,13 +818,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque 
        goto out;

    }



    if (request->len > NBD_MAX_BUFFER_SIZE) {

        LOG("len (%u) is larger than max len (%u)",

            request->len, NBD_MAX_BUFFER_SIZE);

        rc = -EINVAL;

        goto out;

    }



    if ((request->from + request->len) < request->from) {

        LOG("integer overflow detected! "

            "you're probably being attacked");
@@ -836,6 +829,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque 


    command = request->type & NBD_CMD_MASK_COMMAND;

    if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {

        if (request->len > NBD_MAX_BUFFER_SIZE) {

            LOG("len (%u) is larger than max len (%u)",

                request->len, NBD_MAX_BUFFER_SIZE);

            rc = -EINVAL;

            goto out;

        }



        req->data = blk_blockalign(client->exp->blk, request->len);

    }

    if (command == NBD_CMD_WRITE) {