Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps#
- To: folkert <folkert@...421...>
- Cc: nbd-general@lists.sourceforge.net
- Subject: Re: [Nbd] BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps#
- From: Goswin von Brederlow <goswin-v-b@...186...>
- Date: Thu, 7 Mar 2013 12:36:43 +0100
- Message-id: <20130307113643.GA632@...1266...>
- In-reply-to: <20130305204654.GB7515@...855...>
- References: <20130305092330.GJ14619@...855...> <20130305124827.GA345@...1266...> <20130305204654.GB7515@...855...>
On Tue, Mar 05, 2013 at 09:46:54PM +0100, folkert wrote:
> > > if:
> > > offset = 64bit - 2KB
> > > len = 4KB
> > > then the server will allow the read/write because the check
> > > if (((ssize_t)((off_t)request.from + len) > client->exportsize))
> > > will never trigger as client->exportsize will be compared with... offset
> > > 2KB!
> > >
> > > +++ nbd-3.2/nbd-server.c 2013-03-05 10:04:41.000000000 +0100
> > > if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
> >
> > ssize_t? Doesn't that cast to 32bit signed on 32bit cpus and therefore
> > overflow much much earlier?
>
> Quickly grepping through /usr/include it looks as if it is an int.
>
> printf("%d\n", sizeof(ssize_t));
> says 8 bytes on a 64b system
>
> On a 32b system that (((ssize_t)((off_t)request.from + len) >
> client->exportsize)) indeed fails dramatically.
> So my fix was not complete :-)
>
>
> Folkert van Heusden
off_t from = request.from;
if (from < 0 || (from >= client->exportsize)
|| (client->exportsize - from < len)) {
// error range
}
MfG
Goswin
Reply to: