nbd: avoid out of bounds access to recv_coroutine array
This can happen with a buggy or malicious server. Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
		
							parent
							
								
									e6f5d0be73
								
							
						
					
					
						commit
						dd3e8ac413
					
				|  | @ -150,7 +150,7 @@ static int nbd_have_request(void *opaque) | ||||||
| static void nbd_reply_ready(void *opaque) | static void nbd_reply_ready(void *opaque) | ||||||
| { | { | ||||||
|     BDRVNBDState *s = opaque; |     BDRVNBDState *s = opaque; | ||||||
|     int i; |     uint64_t i; | ||||||
| 
 | 
 | ||||||
|     if (s->reply.handle == 0) { |     if (s->reply.handle == 0) { | ||||||
|         /* No reply already in flight.  Fetch a header.  */ |         /* No reply already in flight.  Fetch a header.  */ | ||||||
|  | @ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque) | ||||||
|      * handler acts as a synchronization point and ensures that only |      * handler acts as a synchronization point and ensures that only | ||||||
|      * one coroutine is called until the reply finishes.  */ |      * one coroutine is called until the reply finishes.  */ | ||||||
|     i = HANDLE_TO_INDEX(s, s->reply.handle); |     i = HANDLE_TO_INDEX(s, s->reply.handle); | ||||||
|  |     if (i >= MAX_NBD_REQUESTS) { | ||||||
|  |         goto fail; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|     if (s->recv_coroutine[i]) { |     if (s->recv_coroutine[i]) { | ||||||
|         qemu_coroutine_enter(s->recv_coroutine[i], NULL); |         qemu_coroutine_enter(s->recv_coroutine[i], NULL); | ||||||
|         return; |         return; | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	 Paolo Bonzini
						Paolo Bonzini