[Nbd] Buffer overwrite bug in nbd-server

To: nbd-general@lists.sourceforge.net
Subject: [Nbd] Buffer overwrite bug in nbd-server
From: Kurt Fitzner <kfitzner@...75...>
Date: Sat, 10 Dec 2005 10:10:14 -0700
Message-id: <439B0BF6.2090402@...75...>

There is a buffer size bug in the nbd server from at least version 2.7.5
and on.

The buffer size is exactly one megabyte, but nbd-server will accept
requests that are the buffer size.  The problem is, the server makes no
allowance that the buffer must also hold the reply header.  A read
request that is exactly one megabyte will write past the end of the
buffer by the size of the reply header.

The allocation of the buffer needs to be BUFSIZE + sizeof(struct nbd_reply).

I would also like to make the following suggestions:
- The request buffer be malloc'ed instead of grabbed from the stack.
One megabyte is a big chunk of real estate to take from the stack - if
people increase that size, you could end up exceeding the stack size.
- A recent copy of nbd.h be supplied for use in nbd-server so that you
can build the server on 2.4 machines.  There are still major
distributions (Slackware I know for a fact, there may be others) that
use 2.4 kernels.


	Kurt

Reply to:

Prev by Date: Re: [Nbd] glib use in nbd-server
Next by Date: [Nbd] SelfImage version 1.1 released - NBD support
Previous by thread: [Nbd] Need beta testers for NBD-aware disk imaging program
Next by thread: [Nbd] SelfImage version 1.1 released - NBD support
Index(es):
- Date
- Thread