nbd: avoid out of bounds access to recv_coroutine array

This can happen with a buggy or malicious server.

Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2012-03-12 15:23:13 +01:00
parent e6f5d0be73
commit dd3e8ac413

View File

@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque)
static void nbd_reply_ready(void *opaque) static void nbd_reply_ready(void *opaque)
{ {
BDRVNBDState *s = opaque; BDRVNBDState *s = opaque;
int i; uint64_t i;
if (s->reply.handle == 0) { if (s->reply.handle == 0) {
/* No reply already in flight. Fetch a header. */ /* No reply already in flight. Fetch a header. */
@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque)
* handler acts as a synchronization point and ensures that only * handler acts as a synchronization point and ensures that only
* one coroutine is called until the reply finishes. */ * one coroutine is called until the reply finishes. */
i = HANDLE_TO_INDEX(s, s->reply.handle); i = HANDLE_TO_INDEX(s, s->reply.handle);
if (i >= MAX_NBD_REQUESTS) {
goto fail;
}
if (s->recv_coroutine[i]) { if (s->recv_coroutine[i]) {
qemu_coroutine_enter(s->recv_coroutine[i], NULL); qemu_coroutine_enter(s->recv_coroutine[i], NULL);
return; return;