[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v4 01/24] nbd/client: Use smarter assert
From: |
Eric Blake |
Subject: |
[PATCH v4 01/24] nbd/client: Use smarter assert |
Date: |
Thu, 8 Jun 2023 08:56:30 -0500 |
Assigning strlen() to a uint32_t and then asserting that it isn't too
large doesn't catch the case of an input string 4G in length.
Thankfully, the incoming strings can never be that large: if the
export name or query is reflecting a string the client got from the
server, we already guarantee that we dropped the NBD connection if the
server sent more than 32M in a single reply to our NBD_OPT_* request;
if the export name is coming from qemu, nbd_receive_negotiate()
asserted that strlen(info->name) <= NBD_MAX_STRING_SIZE; and
similarly, a query string via x->dirty_bitmap coming from the user was
bounds-checked in either qemu-nbd or by the limitations of QMP.
Still, it doesn't hurt to be more explicit in how we write our
assertions to not have to analyze whether inadvertent wraparound is
possible.
Fixes: 93676c88 ("nbd: Don't send oversize strings", v4.2.0)
Reported-by: Dr. David Alan Gilbert <dave@treblig.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
---
nbd/client.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/nbd/client.c b/nbd/client.c
index 30d5383cb19..ff75722e487 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -650,19 +650,20 @@ static int nbd_send_meta_query(QIOChannel *ioc, uint32_t
opt,
Error **errp)
{
int ret;
- uint32_t export_len = strlen(export);
+ uint32_t export_len;
uint32_t queries = !!query;
uint32_t query_len = 0;
uint32_t data_len;
char *data;
char *p;
+ assert(strnlen(export, NBD_MAX_STRING_SIZE + 1) <= NBD_MAX_STRING_SIZE);
+ export_len = strlen(export);
data_len = sizeof(export_len) + export_len + sizeof(queries);
- assert(export_len <= NBD_MAX_STRING_SIZE);
if (query) {
+ assert(strnlen(query, NBD_MAX_STRING_SIZE + 1) <= NBD_MAX_STRING_SIZE);
query_len = strlen(query);
data_len += sizeof(query_len) + query_len;
- assert(query_len <= NBD_MAX_STRING_SIZE);
} else {
assert(opt == NBD_OPT_LIST_META_CONTEXT);
}
--
2.40.1
- [PATCH v4 10/24] nbd/client: Pass mode through to nbd_send_request, (continued)
- [PATCH v4 10/24] nbd/client: Pass mode through to nbd_send_request, Eric Blake, 2023/06/08
- [PATCH v4 12/24] nbd: Prepare for 64-bit request effect lengths, Eric Blake, 2023/06/08
- [PATCH v4 11/24] nbd: Add types for extended headers, Eric Blake, 2023/06/08
- [PATCH v4 09/24] nbd: Replace bool structured_reply with mode enum, Eric Blake, 2023/06/08
- [PATCH v4 01/24] nbd/client: Use smarter assert,
Eric Blake <=
- [PATCH v4 15/24] nbd/server: Prepare to send extended header replies, Eric Blake, 2023/06/08
- [PATCH v4 24/24] nbd/server: Add FLAG_PAYLOAD support to CMD_BLOCK_STATUS, Eric Blake, 2023/06/08
- [PATCH v4 16/24] nbd/server: Support 64-bit block status, Eric Blake, 2023/06/08
- [PATCH v4 13/24] nbd/server: Refactor handling of request payload, Eric Blake, 2023/06/08