diff options
author | Peter Lieven <pl@kamp.de> | 2015-06-26 13:14:01 +0200 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2015-07-02 10:06:23 +0100 |
commit | 29c838cdc96c4d117f00c75bbcb941e1be9590fb (patch) | |
tree | 5bed69152871bcbb03792c662656903616add9f7 /block | |
parent | 9049736ec70fdc886ac0df521fdd8b2886b2cb63 (diff) |
block/nfs: limit maximum readahead size to 1MB
a malicious caller could otherwise specify a very
large value via the URI and force libnfs to allocate
a large amount of memory for the readahead buffer.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-id: 1435317241-25585-1-git-send-email-pl@kamp.de
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/nfs.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/block/nfs.c b/block/nfs.c index ca9e24efe5..c026ff6883 100644 --- a/block/nfs.c +++ b/block/nfs.c @@ -35,6 +35,8 @@ #include "sysemu/sysemu.h" #include <nfsc/libnfs.h> +#define QEMU_NFS_MAX_READAHEAD_SIZE 1048576 + typedef struct NFSClient { struct nfs_context *context; struct nfsfh *fh; @@ -327,6 +329,11 @@ static int64_t nfs_client_open(NFSClient *client, const char *filename, nfs_set_tcp_syncnt(client->context, val); #ifdef LIBNFS_FEATURE_READAHEAD } else if (!strcmp(qp->p[i].name, "readahead")) { + if (val > QEMU_NFS_MAX_READAHEAD_SIZE) { + error_report("NFS Warning: Truncating NFS readahead" + " size to %d", QEMU_NFS_MAX_READAHEAD_SIZE); + val = QEMU_NFS_MAX_READAHEAD_SIZE; + } nfs_set_readahead(client->context, val); #endif } else { |