[Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
- To: nbd-general@lists.sourceforge.net
- Subject: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
- From: folkert <folkert@...421...>
- Date: Tue, 5 Mar 2013 10:23:31 +0100
- Message-id: <20130305092330.GJ14619@...855...>
if:
offset = 64bit - 2KB
len = 4KB
then the server will allow the read/write because the check
if (((ssize_t)((off_t)request.from + len) > client->exportsize))
will never trigger as client->exportsize will be compared with... offset
2KB!
diff -uNrBbd nbd-3.2.org/nbd-server.c nbd-3.2/nbd-server.c
--- nbd-3.2.org/nbd-server.c 2012-07-03 22:54:53.000000000 +0200
+++ nbd-3.2/nbd-server.c 2013-03-05 10:04:41.000000000 +0100
@@ -1752,6 +1752,12 @@
continue;
}
+ if (request.from + len < request.from) { // 64 bit overflow!!
+ DEBUG("[RANGE!]");
+ ERROR(client, reply, EINVAL);
+ continue;
+ }
+
if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
DEBUG("[RANGE!]");
ERROR(client, reply, EINVAL);
All bugs were found with NBD-verify which can be retrieved from
http://www.vanheusden.com/nbd-verify/
Folkert van Heusden
--
MultiTail ist eine flexible Applikation um Logfiles und Kommando
Eingaben zu überprüfen. Inkl. Filter, Farben, Zusammenführen,
Ansichten etc. http://www.vanheusden.com/multitail/
----------------------------------------------------------------------
Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com
Reply to: