block/nbd: check that received handle is valid

If we don't have active request, that waiting for this handle to be received, we should report an error. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-Id: <20210902103805.25686-6-vsementsov@virtuozzo.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2021-09-02 13:38:05 +03:00 · 2021-09-02 13:38:05 +03:00 · 1af7737871
commit 1af7737871
parent 4ddb5d2fde
1 changed files with 3 additions and 8 deletions
--- a/block/nbd.c
+++ b/block/nbd.c
@ -58,6 +58,7 @@ typedef struct {
    Coroutine *coroutine;
    uint64_t offset;        /* original offset of the request */
    bool receiving;         /* sleeping in the yield in nbd_receive_replies */
+    bool reply_possible;    /* reply header not yet received */
 } NBDClientRequest;

 typedef enum NBDClientState {
@ -415,14 +416,7 @@ static coroutine_fn int nbd_receive_replies(BDRVNBDState *s, uint64_t handle)
            return 0;
        }
        ind2 = HANDLE_TO_INDEX(s, s->reply.handle);
-        if (ind2 >= MAX_NBD_REQUESTS || !s->requests[ind2].coroutine) {
-            /*
-             * We only check that ind2 request exists. But don't check
-             * whether it is now waiting for the reply header or
-             * not. We can't just check s->requests[ind2].receiving:
-             * ind2 request may wait in trying to lock
-             * receive_mutex. So that's a TODO.
-             */
+        if (ind2 >= MAX_NBD_REQUESTS || !s->requests[ind2].reply_possible) {
            nbd_channel_error(s, -EINVAL);
            return -EINVAL;
        }
@ -468,6 +462,7 @@ static int nbd_co_send_request(BlockDriverState *bs,
    s->requests[i].coroutine = qemu_coroutine_self();
    s->requests[i].offset = request->from;
    s->requests[i].receiving = false;
+    s->requests[i].reply_possible = true;

    request->handle = INDEX_TO_HANDLE(s, i);