summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/block/nbd.h6
-rw-r--r--nbd/client.c2
-rw-r--r--nbd/server.c4
3 files changed, 9 insertions, 3 deletions
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 747bb0aaeb..df1f804338 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -77,6 +77,12 @@ enum {
/* Maximum size of a single READ/WRITE data buffer */
#define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
+/* Maximum size of an export name. The NBD spec requires 256 and
+ * suggests that servers support up to 4096, but we stick to only the
+ * required size so that we can stack-allocate the names, and because
+ * going larger would require an audit of more code to make sure we
+ * aren't overflowing some other buffer. */
+#define NBD_MAX_NAME_SIZE 256
ssize_t nbd_wr_syncv(QIOChannel *ioc,
struct iovec *iov,
diff --git a/nbd/client.c b/nbd/client.c
index e8bf9fb540..287487c6c2 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -210,7 +210,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
error_setg(errp, "incorrect option name length");
return -1;
}
- if (namelen > 255) {
+ if (namelen > NBD_MAX_NAME_SIZE) {
error_setg(errp, "export name length too long %" PRIu32, namelen);
return -1;
}
diff --git a/nbd/server.c b/nbd/server.c
index 41067a4bf8..a677e266ff 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -286,13 +286,13 @@ static int nbd_negotiate_handle_list(NBDClient *client, uint32_t length)
static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length)
{
int rc = -EINVAL;
- char name[256];
+ char name[NBD_MAX_NAME_SIZE + 1];
/* Client sends:
[20 .. xx] export name (length bytes)
*/
TRACE("Checking length");
- if (length > 255) {
+ if (length >= sizeof(name)) {
LOG("Bad length received");
goto fail;
}
generated by cgit v1.2.1 (git 2.18.0) at 2024-07-02 08:12:30 +0000