Home Explore Help
Register Sign In
FangSoftSoft
/
qemu
mirror of https://github.com/utmapp/qemu.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

nbd: avoid out of bounds access to recv_coroutine array

This can happen with a buggy or malicious server.

Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini 13 years ago
parent
e6f5d0be73
commit
dd3e8ac413
1 changed files with 5 additions and 1 deletions
Unified View Show Diff Stats
  1. 5 1
      block/nbd.c

+ 5 - 1
block/nbd.c
View File 

@@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque)
 
 static void nbd_reply_ready(void *opaque)
 
 static void nbd_reply_ready(void *opaque)
 
 {
 
 {
 
     BDRVNBDState *s = opaque;
 
     BDRVNBDState *s = opaque;
 
-    int i;
 
+    uint64_t i;
 
 
 
     if (s->reply.handle == 0) {
 
     if (s->reply.handle == 0) {
 
         /* No reply already in flight.  Fetch a header.  */
 
         /* No reply already in flight.  Fetch a header.  */
 
@@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque)
 
      * handler acts as a synchronization point and ensures that only
 
      * handler acts as a synchronization point and ensures that only
 
      * one coroutine is called until the reply finishes.  */
 
      * one coroutine is called until the reply finishes.  */
 
     i = HANDLE_TO_INDEX(s, s->reply.handle);
 
     i = HANDLE_TO_INDEX(s, s->reply.handle);
 
+    if (i >= MAX_NBD_REQUESTS) {
 
+        goto fail;
 
+    }
 
+
 
     if (s->recv_coroutine[i]) {
 
     if (s->recv_coroutine[i]) {
 
         qemu_coroutine_enter(s->recv_coroutine[i], NULL);
 
         qemu_coroutine_enter(s->recv_coroutine[i], NULL);
 
         return;
 
         return;