nbd-client: Stricter enforcing of structured reply spec
Ensure that the server is not sending unexpected chunk lengths for either the NONE or the OFFSET_DATA chunk, nor unexpected hole length for OFFSET_HOLE. This will flag any server as broken that responds to a zero-length read with an OFFSET_DATA (what our server currently does, but that's about to be fixed) or with OFFSET_HOLE, even though we previously fixed our client to never be able to send such a request over the wire. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20171108215703.9295-7-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
This commit is contained in:
Eric Blake
parent
9d8f818cde
commit
b4176cb314
@ -216,7 +216,7 @@ static int nbd_parse_offset_hole_payload(NBDStructuredReplyChunk *chunk,
|
|||||||
offset = payload_advance64(&payload);
|
offset = payload_advance64(&payload);
|
||||||
hole_size = payload_advance32(&payload);
|
hole_size = payload_advance32(&payload);
|
||||||
|
|
||||||
if (offset < orig_offset || hole_size > qiov->size ||
|
if (!hole_size || offset < orig_offset || hole_size > qiov->size ||
|
||||||
offset > orig_offset + qiov->size - hole_size) {
|
offset > orig_offset + qiov->size - hole_size) {
|
||||||
error_setg(errp, "Protocol error: server sent chunk exceeding requested"
|
error_setg(errp, "Protocol error: server sent chunk exceeding requested"
|
||||||
" region");
|
" region");
|
||||||
@ -281,7 +281,8 @@ static int nbd_co_receive_offset_data_payload(NBDClientSession *s,
|
|||||||
|
|
||||||
assert(nbd_reply_is_structured(&s->reply));
|
assert(nbd_reply_is_structured(&s->reply));
|
||||||
|
|
||||||
if (chunk->length < sizeof(offset)) {
|
/* The NBD spec requires at least one byte of payload */
|
||||||
|
if (chunk->length <= sizeof(offset)) {
|
||||||
error_setg(errp, "Protocol error: invalid payload for "
|
error_setg(errp, "Protocol error: invalid payload for "
|
||||||
"NBD_REPLY_TYPE_OFFSET_DATA");
|
"NBD_REPLY_TYPE_OFFSET_DATA");
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
@ -293,6 +294,7 @@ static int nbd_co_receive_offset_data_payload(NBDClientSession *s,
|
|||||||
be64_to_cpus(&offset);
|
be64_to_cpus(&offset);
|
||||||
|
|
||||||
data_size = chunk->length - sizeof(offset);
|
data_size = chunk->length - sizeof(offset);
|
||||||
|
assert(data_size);
|
||||||
if (offset < orig_offset || data_size > qiov->size ||
|
if (offset < orig_offset || data_size > qiov->size ||
|
||||||
offset > orig_offset + qiov->size - data_size) {
|
offset > orig_offset + qiov->size - data_size) {
|
||||||
error_setg(errp, "Protocol error: server sent chunk exceeding requested"
|
error_setg(errp, "Protocol error: server sent chunk exceeding requested"
|
||||||
@ -411,6 +413,11 @@ static coroutine_fn int nbd_co_do_receive_one_chunk(
|
|||||||
" NBD_REPLY_FLAG_DONE flag set");
|
" NBD_REPLY_FLAG_DONE flag set");
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
if (chunk->length) {
|
||||||
|
error_setg(errp, "Protocol error: NBD_REPLY_TYPE_NONE chunk with"
|
||||||
|
" nonzero length");
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user