diff options
-rw-r--r-- | include/block/nbd.h | 6 | ||||
-rw-r--r-- | nbd/client.c | 2 | ||||
-rw-r--r-- | nbd/server.c | 4 |
3 files changed, 9 insertions, 3 deletions
diff --git a/include/block/nbd.h b/include/block/nbd.h index 747bb0aaeb..df1f804338 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -77,6 +77,12 @@ enum { /* Maximum size of a single READ/WRITE data buffer */ #define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024) +/* Maximum size of an export name. The NBD spec requires 256 and + * suggests that servers support up to 4096, but we stick to only the + * required size so that we can stack-allocate the names, and because + * going larger would require an audit of more code to make sure we + * aren't overflowing some other buffer. */ +#define NBD_MAX_NAME_SIZE 256 ssize_t nbd_wr_syncv(QIOChannel *ioc, struct iovec *iov, diff --git a/nbd/client.c b/nbd/client.c index e8bf9fb540..287487c6c2 100644 --- a/nbd/client.c +++ b/nbd/client.c @@ -210,7 +210,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp) error_setg(errp, "incorrect option name length"); return -1; } - if (namelen > 255) { + if (namelen > NBD_MAX_NAME_SIZE) { error_setg(errp, "export name length too long %" PRIu32, namelen); return -1; } diff --git a/nbd/server.c b/nbd/server.c index 41067a4bf8..a677e266ff 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -286,13 +286,13 @@ static int nbd_negotiate_handle_list(NBDClient *client, uint32_t length) static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length) { int rc = -EINVAL; - char name[256]; + char name[NBD_MAX_NAME_SIZE + 1]; /* Client sends: [20 .. xx] export name (length bytes) */ TRACE("Checking length"); - if (length > 255) { + if (length >= sizeof(name)) { LOG("Bad length received"); goto fail; } |