[BUG] nbd-server: Remote stack-based buffer overflow

To: "nbd@other.debian.org" <nbd@other.debian.org>
Subject: [BUG] nbd-server: Remote stack-based buffer overflow
From: Dialluvioso <dialluvioso@protonmail.com>
Date: Sun, 23 Jan 2022 14:10:18 +0000
Message-id: <[🔎] dubhYNvh2heXj7wtg2sSTwouzZOAk4uzHtra2MPWnuH2iSGKLlQphnI-jt-wH-8SKSpo2LOU7H1qz4XfRwOMhamPuYCLBydRuyhdLpL2qfk=@protonmail.com>
Reply-to: Dialluvioso <dialluvioso@protonmail.com>

There is a remote exploitable stack-based buffer overflow in line 2299 `handle_info` (`nbd-server.c`), fields `len` and `namelen` aren't properly checked therefore `socked_read` will overflow local buffer `buf` (max size 1024 bytes).

For reproducing the issue, you only need to perform the negotiation of the protocol and send a `NB_OPT_INFO` or `NBD_OPT_GO` request with a malformed `len`.

Reply to:

Prev by Date: [PATCH 8/9] nbd-trplay: 1st usable version
Next by Date: report security problem of nbd
Previous by thread: Re: [PATCH 0/9] Add data to datalog, add replay tool, V03
Next by thread: report security problem of nbd
Index(es):
- Date
- Thread