[Libguestfs] [libnbd PATCH 2/4] states: Reject payload to NBD_REP_ACK

Eric Blake eblake at redhat.com
Sun May 19 03:55:10 UTC 2019 

The protocol says NBD_REP_ACK should be sent without payload. Enforce
this.
---
 generator/states-newstyle-opt-go.c               | 5 +++++
 generator/states-newstyle-opt-set-meta-context.c | 5 +++++
 generator/states-newstyle-opt-structured-reply.c | 6 ++++++
 3 files changed, 16 insertions(+)

diff --git a/generator/states-newstyle-opt-go.c b/generator/states-newstyle-opt-go.c
index 6a7b3af..200d16f 100644
--- a/generator/states-newstyle-opt-go.c
+++ b/generator/states-newstyle-opt-go.c
@@ -118,6 +118,11 @@
   }
   switch (reply) {
   case NBD_REP_ACK:
+    if (len != 0) {
+      SET_NEXT_STATE (%.DEAD);
+      set_error (0, "handshake: invalid option reply length");
+      return -1;
+    }
     SET_NEXT_STATE (%.READY);
     return 0;
   case NBD_REP_INFO:
diff --git a/generator/states-newstyle-opt-set-meta-context.c b/generator/states-newstyle-opt-set-meta-context.c
index fdc0500..5a445b2 100644
--- a/generator/states-newstyle-opt-set-meta-context.c
+++ b/generator/states-newstyle-opt-set-meta-context.c
@@ -133,6 +133,11 @@ const char base_allocation[] = "base:allocation";
     }
     switch (reply) {
     case NBD_REP_ACK:           /* End of list of replies. */
+      if (len != 0) {
+	SET_NEXT_STATE (%.DEAD);
+	set_error (0, "handshake: invalid option reply length");
+	return -1;
+      }
       SET_NEXT_STATE (%FINISH);
       break;
     case NBD_REP_META_CONTEXT:  /* A context. */
diff --git a/generator/states-newstyle-opt-structured-reply.c b/generator/states-newstyle-opt-structured-reply.c
index 56335fd..91acdcc 100644
--- a/generator/states-newstyle-opt-structured-reply.c
+++ b/generator/states-newstyle-opt-structured-reply.c
@@ -74,10 +74,16 @@
   }
   switch (reply) {
   case NBD_REP_ACK:
+    if (conn->sbuf.or.option_reply.replylen != 0) {
+      SET_NEXT_STATE (%.DEAD);
+      set_error (0, "handshake: invalid option reply length");
+      return -1;
+    }
     debug (conn->h, "negotiated structured replies on this connection");
     conn->structured_replies = true;
     break;
   default:
+    /* XXX: capture instead of skip server's payload to NBD_REP_ERR*? */
     debug (conn->h, "structured replies are not supported by this server");
     conn->structured_replies = false;
     break;
-- 
2.20.1

More information about the Libguestfs mailing list