[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 07/14] nbd/client: Use smarter assert
|
From: |
Eric Blake |
|
Subject: |
[PULL 07/14] nbd/client: Use smarter assert |
|
Date: |
Wed, 19 Jul 2023 15:27:44 -0500 |
Assigning strlen() to a uint32_t and then asserting that it isn't too
large doesn't catch the case of an input string 4G in length.
Thankfully, the incoming strings can never be that large: if the
export name or query is reflecting a string the client got from the
server, we already guarantee that we dropped the NBD connection if the
server sent more than 32M in a single reply to our NBD_OPT_* request;
if the export name is coming from qemu, nbd_receive_negotiate()
asserted that strlen(info->name) <= NBD_MAX_STRING_SIZE; and
similarly, a query string via x->dirty_bitmap coming from the user was
bounds-checked in either qemu-nbd or by the limitations of QMP.
Still, it doesn't hurt to be more explicit in how we write our
assertions to not have to analyze whether inadvertent wraparound is
possible.
Fixes: 93676c88 ("nbd: Don't send oversize strings", v4.2.0)
Reported-by: Dr. David Alan Gilbert <dave@treblig.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Message-ID: <20230608135653.2918540-2-eblake@redhat.com>
---
nbd/client.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/nbd/client.c b/nbd/client.c
index 30d5383cb19..ff75722e487 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -650,19 +650,20 @@ static int nbd_send_meta_query(QIOChannel *ioc, uint32_t
opt,
Error **errp)
{
int ret;
- uint32_t export_len = strlen(export);
+ uint32_t export_len;
uint32_t queries = !!query;
uint32_t query_len = 0;
uint32_t data_len;
char *data;
char *p;
+ assert(strnlen(export, NBD_MAX_STRING_SIZE + 1) <= NBD_MAX_STRING_SIZE);
+ export_len = strlen(export);
data_len = sizeof(export_len) + export_len + sizeof(queries);
- assert(export_len <= NBD_MAX_STRING_SIZE);
if (query) {
+ assert(strnlen(query, NBD_MAX_STRING_SIZE + 1) <= NBD_MAX_STRING_SIZE);
query_len = strlen(query);
data_len += sizeof(query_len) + query_len;
- assert(query_len <= NBD_MAX_STRING_SIZE);
} else {
assert(opt == NBD_OPT_LIST_META_CONTEXT);
}
--
2.41.0
- [PULL 00/14] NBD patches for 2023-07-19, Eric Blake, 2023/07/19
- [PULL 01/14] qemu-nbd: pass structure into nbd_client_thread instead of plain char*, Eric Blake, 2023/07/19
- [PULL 06/14] qemu-nbd: make verbose bool and local variable in main(), Eric Blake, 2023/07/19
- [PULL 03/14] qemu-nbd: properly report error if qemu_daemon() is failed, Eric Blake, 2023/07/19
- [PULL 05/14] qemu-nbd: handle dup2() error when qemu-nbd finished setup process, Eric Blake, 2023/07/19
- [PULL 04/14] qemu-nbd: properly report error on error in dup2() after qemu_daemon(), Eric Blake, 2023/07/19
- [PULL 02/14] qemu-nbd: fix regression with qemu-nbd --fork run over ssh, Eric Blake, 2023/07/19
- [PULL 12/14] nbd/client: Simplify cookie vs. index computation, Eric Blake, 2023/07/19
- [PULL 07/14] nbd/client: Use smarter assert,
Eric Blake <=
- [PULL 09/14] nbd/server: Prepare for alternate-size headers, Eric Blake, 2023/07/19
- [PULL 08/14] nbd: Consistent typedef usage in header, Eric Blake, 2023/07/19
- [PULL 13/14] nbd/client: Add safety check on chunk payload length, Eric Blake, 2023/07/19
- [PULL 14/14] nbd: Use enum for various negotiation modes, Eric Blake, 2023/07/19
- [PULL 11/14] nbd: s/handle/cookie/ to match NBD spec, Eric Blake, 2023/07/19
- [PULL 10/14] nbd/server: Refactor to pass full request around, Eric Blake, 2023/07/19
- Re: [PULL 00/14] NBD patches for 2023-07-19, Peter Maydell, 2023/07/21