diff options
| author | Eric Blake <eblake@redhat.com> | 2017-11-08 15:57:02 -0600 |
|---|---|---|
| committer | Eric Blake <eblake@redhat.com> | 2017-11-09 10:22:26 -0600 |
| commit | b4176cb314995ad225d6c2b531568801feb04f3f (patch) | |
| tree | 40e07ee6187137216d787742c43b3213c00cc450 /block/nbd-client.c | |
| parent | 9d8f818cdee83e726a5dd14b645738ec632d2577 (diff) | |
| download | qemu-b4176cb314995ad225d6c2b531568801feb04f3f.tar.gz | |
nbd-client: Stricter enforcing of structured reply spec
Ensure that the server is not sending unexpected chunk lengths
for either the NONE or the OFFSET_DATA chunk, nor unexpected
hole length for OFFSET_HOLE. This will flag any server as
broken that responds to a zero-length read with an OFFSET_DATA
(what our server currently does, but that's about to be fixed)
or with OFFSET_HOLE, even though we previously fixed our client
to never be able to send such a request over the wire.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20171108215703.9295-7-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Diffstat (limited to 'block/nbd-client.c')
| -rw-r--r-- | block/nbd-client.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/block/nbd-client.c b/block/nbd-client.c index 0a675d0fab..bcfed0133d 100644 --- a/block/nbd-client.c +++ b/block/nbd-client.c @@ -216,7 +216,7 @@ static int nbd_parse_offset_hole_payload(NBDStructuredReplyChunk *chunk, offset = payload_advance64(&payload); hole_size = payload_advance32(&payload); - if (offset < orig_offset || hole_size > qiov->size || + if (!hole_size || offset < orig_offset || hole_size > qiov->size || offset > orig_offset + qiov->size - hole_size) { error_setg(errp, "Protocol error: server sent chunk exceeding requested" " region"); @@ -281,7 +281,8 @@ static int nbd_co_receive_offset_data_payload(NBDClientSession *s, assert(nbd_reply_is_structured(&s->reply)); - if (chunk->length < sizeof(offset)) { + /* The NBD spec requires at least one byte of payload */ + if (chunk->length <= sizeof(offset)) { error_setg(errp, "Protocol error: invalid payload for " "NBD_REPLY_TYPE_OFFSET_DATA"); return -EINVAL; @@ -293,6 +294,7 @@ static int nbd_co_receive_offset_data_payload(NBDClientSession *s, be64_to_cpus(&offset); data_size = chunk->length - sizeof(offset); + assert(data_size); if (offset < orig_offset || data_size > qiov->size || offset > orig_offset + qiov->size - data_size) { error_setg(errp, "Protocol error: server sent chunk exceeding requested" @@ -411,6 +413,11 @@ static coroutine_fn int nbd_co_do_receive_one_chunk( " NBD_REPLY_FLAG_DONE flag set"); return -EINVAL; } + if (chunk->length) { + error_setg(errp, "Protocol error: NBD_REPLY_TYPE_NONE chunk with" + " nonzero length"); + return -EINVAL; + } return 0; } |