[Libguestfs] [libnbd PATCH 2/4] states: Reject payload to NBD_REP_ACK

Sat, 18 May 2019 20:55:33 -0700 

The protocol says NBD_REP_ACK should be sent without payload. Enforce
this.
---
 generator/states-newstyle-opt-go.c               | 5 +++++
 generator/states-newstyle-opt-set-meta-context.c | 5 +++++
 generator/states-newstyle-opt-structured-reply.c | 6 ++++++
 3 files changed, 16 insertions(+)

diff --git a/generator/states-newstyle-opt-go.c 
b/generator/states-newstyle-opt-go.c
index 6a7b3af..200d16f 100644
--- a/generator/states-newstyle-opt-go.c
+++ b/generator/states-newstyle-opt-go.c
@@ -118,6 +118,11 @@
   }
   switch (reply) {
   case NBD_REP_ACK:
+    if (len != 0) {
+      SET_NEXT_STATE (%.DEAD);
+      set_error (0, "handshake: invalid option reply length");
+      return -1;
+    }
     SET_NEXT_STATE (%.READY);
     return 0;
   case NBD_REP_INFO:
diff --git a/generator/states-newstyle-opt-set-meta-context.c 
b/generator/states-newstyle-opt-set-meta-context.c
index fdc0500..5a445b2 100644
--- a/generator/states-newstyle-opt-set-meta-context.c
+++ b/generator/states-newstyle-opt-set-meta-context.c
@@ -133,6 +133,11 @@ const char base_allocation[] = "base:allocation";
     }
     switch (reply) {
     case NBD_REP_ACK:           /* End of list of replies. */
+      if (len != 0) {
+       SET_NEXT_STATE (%.DEAD);
+       set_error (0, "handshake: invalid option reply length");
+       return -1;
+      }
       SET_NEXT_STATE (%FINISH);
       break;
     case NBD_REP_META_CONTEXT:  /* A context. */
diff --git a/generator/states-newstyle-opt-structured-reply.c 
b/generator/states-newstyle-opt-structured-reply.c
index 56335fd..91acdcc 100644
--- a/generator/states-newstyle-opt-structured-reply.c
+++ b/generator/states-newstyle-opt-structured-reply.c
@@ -74,10 +74,16 @@
   }
   switch (reply) {
   case NBD_REP_ACK:
+    if (conn->sbuf.or.option_reply.replylen != 0) {
+      SET_NEXT_STATE (%.DEAD);
+      set_error (0, "handshake: invalid option reply length");
+      return -1;
+    }
     debug (conn->h, "negotiated structured replies on this connection");
     conn->structured_replies = true;
     break;
   default:
+    /* XXX: capture instead of skip server's payload to NBD_REP_ERR*? */
     debug (conn->h, "structured replies are not supported by this server");
     conn->structured_replies = false;
     break;
-- 
2.20.1

_______________________________________________
Libguestfs mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libguestfs

Reply via email to