Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
- To: nbd-general@lists.sourceforge.net
- Subject: Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
- From: Goswin von Brederlow <goswin-v-b@...186...>
- Date: Tue, 5 Mar 2013 13:48:27 +0100
- Message-id: <20130305124827.GA345@...1266...>
- In-reply-to: <20130305092330.GJ14619@...855...>
- References: <20130305092330.GJ14619@...855...>
On Tue, Mar 05, 2013 at 10:23:31AM +0100, folkert wrote:
> if:
> offset = 64bit - 2KB
> len = 4KB
> then the server will allow the read/write because the check
> if (((ssize_t)((off_t)request.from + len) > client->exportsize))
> will never trigger as client->exportsize will be compared with... offset
> 2KB!
>
> diff -uNrBbd nbd-3.2.org/nbd-server.c nbd-3.2/nbd-server.c
> --- nbd-3.2.org/nbd-server.c 2012-07-03 22:54:53.000000000 +0200
> +++ nbd-3.2/nbd-server.c 2013-03-05 10:04:41.000000000 +0100
> @@ -1752,6 +1752,12 @@
> continue;
> }
>
> + if (request.from + len < request.from) { // 64 bit overflow!!
> + DEBUG("[RANGE!]");
> + ERROR(client, reply, EINVAL);
> + continue;
> + }
> +
> if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
ssize_t? Doesn't that cast to 32bit signed on 32bit cpus and therefore
overflow much much earlier?
> DEBUG("[RANGE!]");
> ERROR(client, reply, EINVAL);
>
>
> All bugs were found with NBD-verify which can be retrieved from
> http://www.vanheusden.com/nbd-verify/
>
>
> Folkert van Heusden
MfG
Goswin
Reply to: