diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2017-11-17 15:30:20 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2017-11-17 15:30:21 +0000 |
| commit | 085ee6d282d38b430c850900c051e6b9e8c1681f (patch) | |
| tree | a2429bc787f2916307d8250b79644f81bce6cb41 /nbd/server.c | |
| parent | fec035a53fa15c4c8c4e62bfef56a35df4161e38 (diff) | |
| parent | fed5f8f82056c9f222433c41aeb9fca50c89f297 (diff) | |
| download | focaccia-qemu-085ee6d282d38b430c850900c051e6b9e8c1681f.tar.gz focaccia-qemu-085ee6d282d38b430c850900c051e6b9e8c1681f.zip | |
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2017-11-17' into staging
nbd patches for 2017-11-17 Eric Blake - nbd: Don't crash when server reports NBD_CMD_READ failure Eric Blake - nbd/client: Use error_prepend() correctly Eric Blake - nbd/client: Don't hard-disconnect on ESHUTDOWN from server Eric Blake - nbd/server: Fix error reporting for bad requests # gpg: Signature made Fri 17 Nov 2017 14:53:30 GMT # gpg: using RSA key 0xA7A16B4A2527436A # gpg: Good signature from "Eric Blake <eblake@redhat.com>" # gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" # gpg: aka "[jpeg image of size 6874]" # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A * remotes/ericb/tags/pull-nbd-2017-11-17: nbd/server: Fix error reporting for bad requests nbd/client: Don't hard-disconnect on ESHUTDOWN from server nbd/client: Use error_prepend() correctly nbd: Don't crash when server reports NBD_CMD_READ failure Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'nbd/server.c')
| -rw-r--r-- | nbd/server.c | 36 |
1 files changed, 12 insertions, 24 deletions
diff --git a/nbd/server.c b/nbd/server.c index df771fd42f..7d6801b427 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -1366,15 +1366,6 @@ static int nbd_co_receive_request(NBDRequestData *req, NBDRequest *request, return -EIO; } - /* Check for sanity in the parameters, part 1. Defer as many - * checks as possible until after reading any NBD_CMD_WRITE - * payload, so we can try and keep the connection alive. */ - if ((request->from + request->len) < request->from) { - error_setg(errp, - "integer overflow detected, you're probably being attacked"); - return -EINVAL; - } - if (request->type == NBD_CMD_READ || request->type == NBD_CMD_WRITE) { if (request->len > NBD_MAX_BUFFER_SIZE) { error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)", @@ -1399,12 +1390,21 @@ static int nbd_co_receive_request(NBDRequestData *req, NBDRequest *request, request->len); } - /* Sanity checks, part 2. */ - if (request->from + request->len > client->exp->size) { + /* Sanity checks. */ + if (client->exp->nbdflags & NBD_FLAG_READ_ONLY && + (request->type == NBD_CMD_WRITE || + request->type == NBD_CMD_WRITE_ZEROES || + request->type == NBD_CMD_TRIM)) { + error_setg(errp, "Export is read-only"); + return -EROFS; + } + if (request->from > client->exp->size || + request->from + request->len > client->exp->size) { error_setg(errp, "operation past EOF; From: %" PRIu64 ", Len: %" PRIu32 ", Size: %" PRIu64, request->from, request->len, (uint64_t)client->exp->size); - return request->type == NBD_CMD_WRITE ? -ENOSPC : -EINVAL; + return (request->type == NBD_CMD_WRITE || + request->type == NBD_CMD_WRITE_ZEROES) ? -ENOSPC : -EINVAL; } valid_flags = NBD_CMD_FLAG_FUA; if (request->type == NBD_CMD_READ && client->structured_reply) { @@ -1482,12 +1482,6 @@ static coroutine_fn void nbd_trip(void *opaque) break; case NBD_CMD_WRITE: - if (exp->nbdflags & NBD_FLAG_READ_ONLY) { - error_setg(&local_err, "Export is read-only"); - ret = -EROFS; - break; - } - flags = 0; if (request.flags & NBD_CMD_FLAG_FUA) { flags |= BDRV_REQ_FUA; @@ -1500,12 +1494,6 @@ static coroutine_fn void nbd_trip(void *opaque) break; case NBD_CMD_WRITE_ZEROES: - if (exp->nbdflags & NBD_FLAG_READ_ONLY) { - error_setg(&local_err, "Export is read-only"); - ret = -EROFS; - break; - } - flags = 0; if (request.flags & NBD_CMD_FLAG_FUA) { flags |= BDRV_REQ_FUA; |