[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 1/2] nbd: do not check request length except for rea
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PATCH 1/2] nbd: do not check request length except for reads and writes |
Date: |
Thu, 7 Jan 2016 14:44:25 +0100 |
Only reads and writes need to allocate memory correspondent to the
request length. Other requests can be sent to the storage without
allocating any memory, and thus any request length is acceptable.
Reported-by: Sitsofe Wheeler <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
---
nbd.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/nbd.c b/nbd.c
index b3d9654..e395a16 100644
--- a/nbd.c
+++ b/nbd.c
@@ -1227,13 +1227,6 @@ static ssize_t nbd_co_receive_request(NBDRequest *req,
struct nbd_request *reque
goto out;
}
- if (request->len > NBD_MAX_BUFFER_SIZE) {
- LOG("len (%u) is larger than max len (%u)",
- request->len, NBD_MAX_BUFFER_SIZE);
- rc = -EINVAL;
- goto out;
- }
-
if ((request->from + request->len) < request->from) {
LOG("integer overflow detected! "
"you're probably being attacked");
@@ -1245,6 +1238,13 @@ static ssize_t nbd_co_receive_request(NBDRequest *req,
struct nbd_request *reque
command = request->type & NBD_CMD_MASK_COMMAND;
if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
+ if (request->len > NBD_MAX_BUFFER_SIZE) {
+ LOG("len (%u) is larger than max len (%u)",
+ request->len, NBD_MAX_BUFFER_SIZE);
+ rc = -EINVAL;
+ goto out;
+ }
+
req->data = blk_blockalign(client->exp->blk, request->len);
}
if (command == NBD_CMD_WRITE) {
--
2.5.0