diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2012-03-12 15:23:13 +0100 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2012-04-19 16:36:42 +0200 |
commit | dd3e8ac413a74a58d6a3ba16a26952f84370fcff (patch) | |
tree | dfcdc5b39093be9708c109061c425938d93ed11c | |
parent | e6f5d0be730a41bacb10edba19d1369ec2949486 (diff) |
nbd: avoid out of bounds access to recv_coroutine array
This can happen with a buggy or malicious server.
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r-- | block/nbd.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/block/nbd.c b/block/nbd.c index 161b299855..9972cdb655 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque) static void nbd_reply_ready(void *opaque) { BDRVNBDState *s = opaque; - int i; + uint64_t i; if (s->reply.handle == 0) { /* No reply already in flight. Fetch a header. */ @@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque) * handler acts as a synchronization point and ensures that only * one coroutine is called until the reply finishes. */ i = HANDLE_TO_INDEX(s, s->reply.handle); + if (i >= MAX_NBD_REQUESTS) { + goto fail; + } + if (s->recv_coroutine[i]) { qemu_coroutine_enter(s->recv_coroutine[i], NULL); return; |