Skip to content

Commit 3ef5204

Browse files
committed
Fix buffer size checking
Yes, this means we've re-introduced CVE-2005-3534. Sigh.
1 parent 50e7e7e commit 3ef5204

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: nbd-server.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ gboolean do_oldstyle=FALSE;
150150
#define OFFT_MAX ~((off_t)1<<(sizeof(off_t)*8-1))
151151
#define LINELEN 256 /**< Size of static buffer used to read the
152152
authorization file (yuck) */
153-
#define BUFSIZE (1024*1024) /**< Size of buffer that can hold requests */
153+
#define BUFSIZE ((1024*1024)+sizeof(struct nbd_reply)) /**< Size of buffer that can hold requests */
154154
#define DIFFPAGESIZE 4096 /**< diff file uses those chunks */
155155
#define F_READONLY 1 /**< flag to tell us a file is readonly */
156156
#define F_MULTIFILE 2 /**< flag to tell us a file is exported using -m */
@@ -1389,7 +1389,7 @@ int mainloop(CLIENT *client) {
13891389

13901390
if (request.magic != htonl(NBD_REQUEST_MAGIC))
13911391
err("Not enough magic.");
1392-
if (len > BUFSIZE + sizeof(struct nbd_reply))
1392+
if (len > BUFSIZE - sizeof(struct nbd_reply))
13931393
err("Request too big!");
13941394
#ifdef DODBG
13951395
printf("%s from %llu (%llu) len %d, ", request.type ? "WRITE" :

0 commit comments

Comments
 (0)