From eb38c3b67018ff8069e4f674a28661931a8a3e4f Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 7 Jan 2016 14:32:42 +0100 Subject: [PATCH] nbd-server: do not check request length except for reads and writes Only reads and writes need to allocate memory correspondent to the request length. Other requests can be sent to the storage without allocating any memory, and thus any request length is acceptable. Reported-by: Sitsofe Wheeler Cc: qemu-block@nongnu.org Reviewed-by: Max Reitz Signed-off-by: Paolo Bonzini --- nbd/server.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 8752885509..c41af0debe 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -818,13 +818,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque goto out; } - if (request->len > NBD_MAX_BUFFER_SIZE) { - LOG("len (%u) is larger than max len (%u)", - request->len, NBD_MAX_BUFFER_SIZE); - rc = -EINVAL; - goto out; - } - if ((request->from + request->len) < request->from) { LOG("integer overflow detected! " "you're probably being attacked"); @@ -836,6 +829,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque command = request->type & NBD_CMD_MASK_COMMAND; if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) { + if (request->len > NBD_MAX_BUFFER_SIZE) { + LOG("len (%u) is larger than max len (%u)", + request->len, NBD_MAX_BUFFER_SIZE); + rc = -EINVAL; + goto out; + } + req->data = blk_blockalign(client->exp->blk, request->len); } if (command == NBD_CMD_WRITE) {