nbd patches for 2017-11-28

Eric Blake - 0/2 fix two NBD server CVEs -----BEGIN PGP SIGNATURE----- Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAABCAAGBQJaHV11AAoJEKeha0olJ0NqhL0IAJOHoH7yej3P4qPlJMO0BJ3s ACVUOvF+4Ms4nAjXlpqZh59ZU83rH8Q5NuyJn2k7dotVY9nvaKQGqgT/FB9Gqq0G hUOGCSDsF/4olyUkq4tcCD5gRc962YFEPr7TCbAXufZmxKFHDNnW32wyo3NtKQfR Ph7YA9pNOgf0u2Y9/sjhz2CQn6svB6NDswgHvHqTvSHQyLTSH0G5u0HSbAB6X/SZ swz9blEDiV5OVb53TpYSzgzVGZjWlfesCpUV2hTVSOeZ/koUhKf9H87msj9n5itt hyvgANehDBDMbSLNc3irHPaN9kL5ulmYdCmyssepXe77/QRokQ69ZhqUxIRofvU= =Igjs -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2017-11-28' into staging nbd patches for 2017-11-28 Eric Blake - 0/2 fix two NBD server CVEs # gpg: Signature made Tue 28 Nov 2017 12:58:29 GMT # gpg: using RSA key 0xA7A16B4A2527436A # gpg: Good signature from "Eric Blake <eblake@redhat.com>" # gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" # gpg: aka "[jpeg image of size 6874]" # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A * remotes/ericb/tags/pull-nbd-2017-11-28: nbd/server: CVE-2017-15118 Stack smash on large export name nbd/server: CVE-2017-15119 Reject options larger than 32M Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-28 13:12:48 +00:00 · 2017-11-28 13:12:48 +00:00 · 844496f3e5
commit 844496f3e5
parent a914f04c23 51ae4f8455
1 changed files with 10 additions and 0 deletions
--- a/nbd/server.c
+++ b/nbd/server.c
@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
        msg = "name length is incorrect";
        goto invalid;
    }
+    if (namelen >= sizeof(name)) {
+        msg = "name too long for qemu";
+        goto invalid;
+    }
    if (nbd_read(client->ioc, name, namelen, errp) < 0) {
        return -EIO;
    }
@ -673,6 +677,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags,
        }
        length = be32_to_cpu(length);

+        if (length > NBD_MAX_BUFFER_SIZE) {
+            error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)",
+                       length, NBD_MAX_BUFFER_SIZE);
+            return -EINVAL;
+        }
+
        trace_nbd_negotiate_options_check_option(option,
                                                 nbd_opt_lookup(option));
        if (client->tlscreds &&