[Nbd] Buffer overflow and unterminated string in nbd-client.c
Hi,
looking at nbd-client.c: ask_list() I found a potential buffer
ovewrflow and potentially not 0 terminated string. The reply from the
server is not checked for an overly long export name or a missing 0
termination.
MfG
Goswin
--
diff --git a/nbd-client.c b/nbd-client.c
index 9c27418..4c8a9c1 100644
--- a/nbd-client.c
+++ b/nbd-client.c
@@ -139,7 +139,8 @@ void ask_list(int sock) {
uint32_t len;
uint32_t reptype;
uint64_t magic;
- char buf[1024];
+ const int BUF_SIZE = 1024;
+ char buf[BUF_SIZE];
magic = ntohll(NBD_MAGIC_OPTS);
if (write(sock, &magic, sizeof(magic)) < 0)
@@ -203,10 +204,15 @@ void ask_list(int sock) {
exit(EXIT_FAILURE);
}
len=ntohl(len);
+ if (len >= BUF_SIZE) {
+ fprintf(stderr, "\nE: export name on server too long\n");
+ exit(EXIT_FAILURE);
+ }
if(read(sock, buf, len) < 0) {
fprintf(stderr, "\nE: could not read export name from server\n");
exit(EXIT_FAILURE);
}
+ buf[len] = 0;
printf("%s\n", buf);
}
}
Reply to: