Re: [BUG] nbd-server: Remote stack-based buffer overflow

To: Dialluvioso <dialluvioso@protonmail.com>
Cc: "nbd@other.debian.org" <nbd@other.debian.org>
Subject: Re: [BUG] nbd-server: Remote stack-based buffer overflow
From: Wouter Verhelst <w@uter.be>
Date: Sun, 6 Mar 2022 09:14:32 +0200
Message-id: <[🔎] YiRfWASIIQhyULM2@pc181009.grep.be>
In-reply-to: <dubhYNvh2heXj7wtg2sSTwouzZOAk4uzHtra2MPWnuH2iSGKLlQphnI-jt-wH-8SKSpo2LOU7H1qz4XfRwOMhamPuYCLBydRuyhdLpL2qfk=@protonmail.com>
References: <dubhYNvh2heXj7wtg2sSTwouzZOAk4uzHtra2MPWnuH2iSGKLlQphnI-jt-wH-8SKSpo2LOU7H1qz4XfRwOMhamPuYCLBydRuyhdLpL2qfk=@protonmail.com>

Hi,

Thanks; sorry for the delay.

On Sun, Jan 23, 2022 at 02:10:18PM +0000, Dialluvioso wrote:
>    There is a remote exploitable stack-based buffer overflow in line 2299
>    `handle_info` (`nbd-server.c`), fields `len` and `namelen` aren't properly
>    checked therefore `socked_read` will overflow local buffer `buf` (max size
>    1024 bytes).
>    For reproducing the issue, you only need to perform the negotiation of the
>    protocol and send a `NB_OPT_INFO` or `NBD_OPT_GO` request with a malformed
>    `len`.

This is now CVE-2022-26496, and has been fixed on git master (I will
release a new NBD package later today).

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

Reply to:

Prev by Date: Re: [PATCH 0/9] Add data to datalog, add replay tool, V03
Next by Date: Re: report security problem of nbd
Previous by thread: Re: [PATCH 0/9] Add data to datalog, add replay tool, V03
Next by thread: Re: report security problem of nbd
Index(es):
- Date
- Thread