|
@@ -1413,6 +1413,18 @@ static int nbd_receive_structured_reply_chunk(QIOChannel *ioc,
|
|
chunk->cookie = be64_to_cpu(chunk->cookie);
|
|
chunk->cookie = be64_to_cpu(chunk->cookie);
|
|
chunk->length = be32_to_cpu(chunk->length);
|
|
chunk->length = be32_to_cpu(chunk->length);
|
|
|
|
|
|
|
|
+ /*
|
|
|
|
+ * Because we use BLOCK_STATUS with REQ_ONE, and cap READ requests
|
|
|
|
+ * at 32M, no valid server should send us payload larger than
|
|
|
|
+ * this. Even if we stopped using REQ_ONE, sane servers will cap
|
|
|
|
+ * the number of extents they return for block status.
|
|
|
|
+ */
|
|
|
|
+ if (chunk->length > NBD_MAX_BUFFER_SIZE + sizeof(NBDStructuredReadData)) {
|
|
|
|
+ error_setg(errp, "server chunk %" PRIu32 " (%s) payload is too long",
|
|
|
|
+ chunk->type, nbd_rep_lookup(chunk->type));
|
|
|
|
+ return -EINVAL;
|
|
|
|
+ }
|
|
|
|
+
|
|
return 0;
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
|