Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps

To: folkert <folkert@...421...>
Cc: nbd-general@lists.sourceforge.net
Subject: Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
From: Wouter Verhelst <w@...112...>
Date: Wed, 6 Mar 2013 12:54:42 +0100
Message-id: <20130306115442.GA31421@...3...>
In-reply-to: <20130305092330.GJ14619@...855...>
References: <20130305092330.GJ14619@...855...>

On Tue, Mar 05, 2013 at 10:23:31AM +0100, folkert wrote:
> if:
> 	offset = 64bit - 2KB
> 	len = 4KB
> then the server will allow the read/write because the check
> 	if (((ssize_t)((off_t)request.from + len) > client->exportsize))
> will never trigger as client->exportsize will be compared with... offset
> 2KB!

Thanks, applied.

> diff -uNrBbd nbd-3.2.org/nbd-server.c nbd-3.2/nbd-server.c
> --- nbd-3.2.org/nbd-server.c	2012-07-03 22:54:53.000000000 +0200
> +++ nbd-3.2/nbd-server.c	2013-03-05 10:04:41.000000000 +0100
> @@ -1752,6 +1752,12 @@
>  				continue;
>  			}
>  
> +			if (request.from + len < request.from) { // 64 bit overflow!!
> +				DEBUG("[RANGE!]");
> +				ERROR(client, reply, EINVAL);
> +				continue;
> +			}
> +
>  			if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
>  				DEBUG("[RANGE!]");
>  				ERROR(client, reply, EINVAL);
> 
> 
> All bugs were found with NBD-verify which can be retrieved from
> http://www.vanheusden.com/nbd-verify/
> 
> 
> Folkert van Heusden
> 
> -- 
> MultiTail ist eine flexible Applikation um Logfiles und Kommando
> Eingaben zu überprüfen. Inkl. Filter, Farben, Zusammenführen,
> Ansichten etc. http://www.vanheusden.com/multitail/
> ----------------------------------------------------------------------
> Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Nbd-general mailing list
> Nbd-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nbd-general
> 

-- 
Copyshops should do vouchers. So that next time some bureaucracy requires you
to mail a form in triplicate, you can mail it just once, add a voucher, and
save on postage.

Reply to:

References:
- [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
  - From: folkert <folkert@...421...>

Prev by Date: Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps
Next by Date: Re: [Nbd] BUG: read-command with data size 0 does not return a response header
Previous by thread: Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps#
Next by thread: [Nbd] release?
Index(es):
- Date
- Thread