nbd: avoid out of bounds access to recv_coroutine array
This can happen with a buggy or malicious server. Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
e6f5d0be73
commit
dd3e8ac413
@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque)
|
|||||||
static void nbd_reply_ready(void *opaque)
|
static void nbd_reply_ready(void *opaque)
|
||||||
{
|
{
|
||||||
BDRVNBDState *s = opaque;
|
BDRVNBDState *s = opaque;
|
||||||
int i;
|
uint64_t i;
|
||||||
|
|
||||||
if (s->reply.handle == 0) {
|
if (s->reply.handle == 0) {
|
||||||
/* No reply already in flight. Fetch a header. */
|
/* No reply already in flight. Fetch a header. */
|
||||||
@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque)
|
|||||||
* handler acts as a synchronization point and ensures that only
|
* handler acts as a synchronization point and ensures that only
|
||||||
* one coroutine is called until the reply finishes. */
|
* one coroutine is called until the reply finishes. */
|
||||||
i = HANDLE_TO_INDEX(s, s->reply.handle);
|
i = HANDLE_TO_INDEX(s, s->reply.handle);
|
||||||
|
if (i >= MAX_NBD_REQUESTS) {
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
if (s->recv_coroutine[i]) {
|
if (s->recv_coroutine[i]) {
|
||||||
qemu_coroutine_enter(s->recv_coroutine[i], NULL);
|
qemu_coroutine_enter(s->recv_coroutine[i], NULL);
|
||||||
return;
|
return;
|
||||||
|
Loading…
Reference in New Issue
Block a user