v3 was here: https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html
since then: - re-add a minor patch from v2 (now patch 1) - refactor how the client opaque pointer is handled (patch 2) - add two new patches to prevent malicious clients from consuming inordinate resources: change the default max-connections from unlimited to capped at 100 (patch 3), and add code to kill any client that takes longer than 10 seconds after connect to reach NBD_OPT_GO (patch 4) [Dan] - squash the connection list handling into a single patch (5) [Dan] - two new additional patches for reverting back to 9.0 behavior for integration testing purposes; I'm okay if these last two miss 9.1 Eric Blake (7): nbd: Minor style fixes nbd/server: Plumb in new args to nbd_client_add() nbd/server: CVE-2024-7409: Change default max-connections to 100 nbd/server: CVE-2024-7409: Drop non-negotiating clients nbd/server: CVE-2024-7409: Close stray client sockets at shutdown qemu-nbd: Allow users to adjust handshake limit nbd/server: Allow users to adjust handshake limit in QMP docs/tools/qemu-nbd.rst | 5 +++ qapi/block-export.json | 18 +++++++--- include/block/nbd.h | 20 +++++++++-- block/monitor/block-hmp-cmds.c | 3 +- blockdev-nbd.c | 62 +++++++++++++++++++++++++++++++--- nbd/server.c | 51 +++++++++++++++++++++++++--- qemu-nbd.c | 44 ++++++++++++++++-------- nbd/trace-events | 1 + 8 files changed, 173 insertions(+), 31 deletions(-) -- 2.45.2