aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2016-01-07 14:32:42 +0100
committerPaolo Bonzini <pbonzini@redhat.com>2016-01-15 18:58:02 +0100
commiteb38c3b67018ff8069e4f674a28661931a8a3e4f (patch)
tree19e35f5a940417d5a55fcdc0c7e235bcc7fcbae6
parent1a6245a5b0b4e8d822c739b403fc67c8a7bc8d12 (diff)
downloadqemu-eb38c3b67018ff8069e4f674a28661931a8a3e4f.zip
qemu-eb38c3b67018ff8069e4f674a28661931a8a3e4f.tar.gz
qemu-eb38c3b67018ff8069e4f674a28661931a8a3e4f.tar.bz2
nbd-server: do not check request length except for reads and writes
Only reads and writes need to allocate memory correspondent to the request length. Other requests can be sent to the storage without allocating any memory, and thus any request length is acceptable. Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com> Cc: qemu-block@nongnu.org Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r--nbd/server.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/nbd/server.c b/nbd/server.c
index 8752885..c41af0d 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -818,13 +818,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
goto out;
}
- if (request->len > NBD_MAX_BUFFER_SIZE) {
- LOG("len (%u) is larger than max len (%u)",
- request->len, NBD_MAX_BUFFER_SIZE);
- rc = -EINVAL;
- goto out;
- }
-
if ((request->from + request->len) < request->from) {
LOG("integer overflow detected! "
"you're probably being attacked");
@@ -836,6 +829,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
command = request->type & NBD_CMD_MASK_COMMAND;
if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
+ if (request->len > NBD_MAX_BUFFER_SIZE) {
+ LOG("len (%u) is larger than max len (%u)",
+ request->len, NBD_MAX_BUFFER_SIZE);
+ rc = -EINVAL;
+ goto out;
+ }
+
req->data = blk_blockalign(client->exp->blk, request->len);
}
if (command == NBD_CMD_WRITE) {