blob: 5367b0c0aa144b21d9583baf9ce40b5812d660dc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Kurt Fitzner writes:
There is a buffer size bug in the nbd server from at least version 2.7.5
and on.
The buffer size is exactly one megabyte, but nbd-server will accept
requests that are the buffer size. The problem is, the server makes no
allowance that the buffer must also hold the reply header. A read
request that is exactly one megabyte will write past the end of the
buffer by the size of the reply header.
The allocation of the buffer needs to be BUFSIZE + sizeof(struct nbd_reply).
http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388
http://bugs.gentoo.org/116314
--- nbd/nbd-server.c
+++ nbd/nbd-server.c
@@ -677,7 +677,7 @@ int mainloop(CLIENT *client) {
if (request.magic != htonl(NBD_REQUEST_MAGIC))
err("Not enough magic.");
- if (len > BUFSIZE)
+ if (len > BUFSIZE - sizeof(struct nbd_reply))
err("Request too big!");
#ifdef DODBG
printf("%s from %Lu (%Lu) len %d, ", request.type ? "WRITE" :
|
GitWeb
