aboutsummaryrefslogtreecommitdiff
path: root/block/nfs.c
diff options
context:
space:
mode:
authorPeter Lieven <pl@kamp.de>2015-06-26 13:14:01 +0200
committerStefan Hajnoczi <stefanha@redhat.com>2015-07-02 10:06:23 +0100
commit29c838cdc96c4d117f00c75bbcb941e1be9590fb (patch)
tree5bed69152871bcbb03792c662656903616add9f7 /block/nfs.c
parent9049736ec70fdc886ac0df521fdd8b2886b2cb63 (diff)
downloadqemu-29c838cdc96c4d117f00c75bbcb941e1be9590fb.zip
qemu-29c838cdc96c4d117f00c75bbcb941e1be9590fb.tar.gz
qemu-29c838cdc96c4d117f00c75bbcb941e1be9590fb.tar.bz2
block/nfs: limit maximum readahead size to 1MB
a malicious caller could otherwise specify a very large value via the URI and force libnfs to allocate a large amount of memory for the readahead buffer. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de> Message-id: 1435317241-25585-1-git-send-email-pl@kamp.de Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/nfs.c')
-rw-r--r--block/nfs.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/block/nfs.c b/block/nfs.c
index ca9e24e..c026ff6 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -35,6 +35,8 @@
#include "sysemu/sysemu.h"
#include <nfsc/libnfs.h>
+#define QEMU_NFS_MAX_READAHEAD_SIZE 1048576
+
typedef struct NFSClient {
struct nfs_context *context;
struct nfsfh *fh;
@@ -327,6 +329,11 @@ static int64_t nfs_client_open(NFSClient *client, const char *filename,
nfs_set_tcp_syncnt(client->context, val);
#ifdef LIBNFS_FEATURE_READAHEAD
} else if (!strcmp(qp->p[i].name, "readahead")) {
+ if (val > QEMU_NFS_MAX_READAHEAD_SIZE) {
+ error_report("NFS Warning: Truncating NFS readahead"
+ " size to %d", QEMU_NFS_MAX_READAHEAD_SIZE);
+ val = QEMU_NFS_MAX_READAHEAD_SIZE;
+ }
nfs_set_readahead(client->context, val);
#endif
} else {