From nobody Sun Oct 5 17:36:29 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1602184077; cv=none; d=zohomail.com; s=zohoarc; b=IENxpPOEyEqapPkSZwGQ8Rz52p1sHoJ6zuEh9qdz3DzQpXEcppyTz/dkktHr7SWvN99FStQA0SAdieCW9sGv7caVPauLWXCWQ2XHafBX7H/RKd+aGa3PAdZgxHcQ2ntKjDODbqKkwBSNWoDLNsN/U+aRFLEuv8gvxlP2CHtbmNA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1602184077; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=gY3Y6Sxj0tbyVRafvnFkR174lw2Nu8m6GWmsr3M3YtM=; b=jXWihHPdr6j5heps6VDbCbhY++DX7yNrt/vEb/AD3Ry3vH1FTU7OfPXZTCm6T98+5UY4lCKawFnJdcFXbpSQSLFGR+0e6bhtFFPQuL8LWAfwmiGHN8pDxaOL+G+sv9wo7LDU+ceVtE0zFsLYGmJheykyWhQl5ynw4OA8c3SnF8M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1602184077021774.6892062432436; Thu, 8 Oct 2020 12:07:57 -0700 (PDT) Received: from localhost ([::1]:58142 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kQbGb-0006sz-NT for importer@patchew.org; Thu, 08 Oct 2020 15:07:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46850) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kQb94-0007wS-GP for qemu-devel@nongnu.org; Thu, 08 Oct 2020 15:00:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:41138) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kQb90-0003fO-Cp for qemu-devel@nongnu.org; Thu, 08 Oct 2020 15:00:06 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-584-3xpA4Gh9N2yPj_ED_0v7dQ-1; Thu, 08 Oct 2020 14:59:59 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 55E3157052; Thu, 8 Oct 2020 18:59:58 +0000 (UTC) Received: from blue.redhat.com (ovpn-113-14.phx2.redhat.com [10.3.113.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0605A5D9E8; Thu, 8 Oct 2020 18:59:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602183601; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gY3Y6Sxj0tbyVRafvnFkR174lw2Nu8m6GWmsr3M3YtM=; b=Me5gh8t8i0yCMO/u/oQAjyY19RN7LyGeuHe9bqNo03gE9u5yuzhDZEAado2jrTgftdlgj2 wQ4vfUpnT/ZT4AAxP9lnyZqTijf4O/DbdX2H4oYGe16ViI23/gXoREcHcD9spT/CBgzhi+ wXSlmqpacmTOawvx5DO41UljCUuNfYM= X-MC-Unique: 3xpA4Gh9N2yPj_ED_0v7dQ-1 From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 7/8] nbd/server: Reject embedded NUL in NBD strings Date: Thu, 8 Oct 2020 13:59:50 -0500 Message-Id: <20201008185951.1026052-8-eblake@redhat.com> In-Reply-To: <20201008185951.1026052-1-eblake@redhat.com> References: <20201008185951.1026052-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=63.128.21.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/08 01:56:49 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vladimir Sementsov-Ogievskiy , "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" The NBD spec is clear that any string sent from the client must not contain embedded NUL characters. If the client passes "a\0", we should reject that option request rather than act on "a". Testing this is not possible with a compliant client, but I was able to use gdb to coerce libnbd into temporarily behaving as such a client. Signed-off-by: Eric Blake Message-Id: <20200930121105.667049-3-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy Signed-off-by: Eric Blake --- nbd/server.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index f25cffa334fa..50f95abe3168 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -301,10 +301,11 @@ nbd_opt_invalid(NBDClient *client, Error **errp, cons= t char *fmt, ...) } /* Read size bytes from the unparsed payload of the current option. + * If @check_nul, require that no NUL bytes appear in buffer. * Return -errno on I/O error, 0 if option was completely handled by * sending a reply about inconsistent lengths, or 1 on success. */ static int nbd_opt_read(NBDClient *client, void *buffer, size_t size, - Error **errp) + bool check_nul, Error **errp) { if (size > client->optlen) { return nbd_opt_invalid(client, errp, @@ -312,7 +313,16 @@ static int nbd_opt_read(NBDClient *client, void *buffe= r, size_t size, nbd_opt_lookup(client->opt)); } client->optlen -=3D size; - return qio_channel_read_all(client->ioc, buffer, size, errp) < 0 ? -EI= O : 1; + if (qio_channel_read_all(client->ioc, buffer, size, errp) < 0) { + return -EIO; + } + + if (check_nul && strnlen(buffer, size) !=3D size) { + return nbd_opt_invalid(client, errp, + "Unexpected embedded NUL in option %s", + nbd_opt_lookup(client->opt)); + } + return 1; } /* Drop size bytes from the unparsed payload of the current option. @@ -349,7 +359,7 @@ static int nbd_opt_read_name(NBDClient *client, char **= name, uint32_t *length, g_autofree char *local_name =3D NULL; *name =3D NULL; - ret =3D nbd_opt_read(client, &len, sizeof(len), errp); + ret =3D nbd_opt_read(client, &len, sizeof(len), false, errp); if (ret <=3D 0) { return ret; } @@ -361,7 +371,7 @@ static int nbd_opt_read_name(NBDClient *client, char **= name, uint32_t *length, } local_name =3D g_malloc(len + 1); - ret =3D nbd_opt_read(client, local_name, len, errp); + ret =3D nbd_opt_read(client, local_name, len, true, errp); if (ret <=3D 0) { return ret; } @@ -576,14 +586,14 @@ static int nbd_negotiate_handle_info(NBDClient *clien= t, Error **errp) } trace_nbd_negotiate_handle_export_name_request(name); - rc =3D nbd_opt_read(client, &requests, sizeof(requests), errp); + rc =3D nbd_opt_read(client, &requests, sizeof(requests), false, errp); if (rc <=3D 0) { return rc; } requests =3D be16_to_cpu(requests); trace_nbd_negotiate_handle_info_requests(requests); while (requests--) { - rc =3D nbd_opt_read(client, &request, sizeof(request), errp); + rc =3D nbd_opt_read(client, &request, sizeof(request), false, errp= ); if (rc <=3D 0) { return rc; } @@ -806,7 +816,7 @@ static int nbd_meta_pattern(NBDClient *client, const ch= ar *pattern, bool *match, assert(len); query =3D g_malloc(len); - ret =3D nbd_opt_read(client, query, len, errp); + ret =3D nbd_opt_read(client, query, len, true, errp); if (ret <=3D 0) { g_free(query); return ret; @@ -943,7 +953,7 @@ static int nbd_negotiate_meta_query(NBDClient *client, char ns[5]; uint32_t len; - ret =3D nbd_opt_read(client, &len, sizeof(len), errp); + ret =3D nbd_opt_read(client, &len, sizeof(len), false, errp); if (ret <=3D 0) { return ret; } @@ -959,7 +969,7 @@ static int nbd_negotiate_meta_query(NBDClient *client, } len -=3D ns_len; - ret =3D nbd_opt_read(client, ns, ns_len, errp); + ret =3D nbd_opt_read(client, ns, ns_len, true, errp); if (ret <=3D 0) { return ret; } @@ -1016,7 +1026,7 @@ static int nbd_negotiate_meta_queries(NBDClient *clie= nt, "export '%s' not present", sane_name); } - ret =3D nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); + ret =3D nbd_opt_read(client, &nb_queries, sizeof(nb_queries), false, e= rrp); if (ret <=3D 0) { return ret; } --=20 2.28.0