aboutsummaryrefslogtreecommitdiff
path: root/block/nbd.c
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2012-03-12 15:23:13 +0100
committerPaolo Bonzini <pbonzini@redhat.com>2012-04-19 16:36:42 +0200
commitdd3e8ac413a74a58d6a3ba16a26952f84370fcff (patch)
treedfcdc5b39093be9708c109061c425938d93ed11c /block/nbd.c
parente6f5d0be730a41bacb10edba19d1369ec2949486 (diff)
downloadqemu-arm-dd3e8ac413a74a58d6a3ba16a26952f84370fcff.tar.gz
nbd: avoid out of bounds access to recv_coroutine array
This can happen with a buggy or malicious server. Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'block/nbd.c')
-rw-r--r--block/nbd.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/block/nbd.c b/block/nbd.c
index 161b299855..9972cdb655 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque)
static void nbd_reply_ready(void *opaque)
{
BDRVNBDState *s = opaque;
- int i;
+ uint64_t i;
if (s->reply.handle == 0) {
/* No reply already in flight. Fetch a header. */
@@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque)
* handler acts as a synchronization point and ensures that only
* one coroutine is called until the reply finishes. */
i = HANDLE_TO_INDEX(s, s->reply.handle);
+ if (i >= MAX_NBD_REQUESTS) {
+ goto fail;
+ }
+
if (s->recv_coroutine[i]) {
qemu_coroutine_enter(s->recv_coroutine[i], NULL);
return;