qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 1/7] nbd: avoid out of bounds access to recv_corouti


From: Paolo Bonzini
Subject: [Qemu-devel] [PATCH 1/7] nbd: avoid out of bounds access to recv_coroutine array
Date: Thu, 19 Apr 2012 17:09:16 +0200

This can happen with a buggy or malicious server.

Reported-by: Michael Tokarev <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 block/nbd.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/block/nbd.c b/block/nbd.c
index 161b299..9972cdb 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque)
 static void nbd_reply_ready(void *opaque)
 {
     BDRVNBDState *s = opaque;
-    int i;
+    uint64_t i;
 
     if (s->reply.handle == 0) {
         /* No reply already in flight.  Fetch a header.  */
@@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque)
      * handler acts as a synchronization point and ensures that only
      * one coroutine is called until the reply finishes.  */
     i = HANDLE_TO_INDEX(s, s->reply.handle);
+    if (i >= MAX_NBD_REQUESTS) {
+        goto fail;
+    }
+
     if (s->recv_coroutine[i]) {
         qemu_coroutine_enter(s->recv_coroutine[i], NULL);
         return;
-- 
1.7.9.3





reply via email to

[Prev in Thread] Current Thread [Next in Thread]