Hi,
looking at nbd-client.c: ask_list() I found a potential buffer
ovewrflow and potentially not 0 terminated string. The reply from the
server is not checked for an overly long export name or a missing 0
termination.
MfG
Goswin
--
diff --git a/nbd-client.c b/nbd-client.c
index 9c27418..4c8a9c1 100644
--- a/nbd-client.c
+++ b/nbd-client.c
@@ -139,7 +139,8 @@ void ask_list(int sock) {
uint32_t len;
uint32_t reptype;
uint64_t magic;
- char buf[1024];
+ const int BUF_SIZE = 1024;
+ char buf[BUF_SIZE];
magic = ntohll(NBD_MAGIC_OPTS);
if (write(sock, &magic, sizeof(magic)) < 0)
@@ -203,10 +204,15 @@ void ask_list(int sock) {
exit(EXIT_FAILURE);
}
len=ntohl(len);
+ if (len >= BUF_SIZE) {
+ fprintf(stderr, "\nE: export name on
server too long\n");
+ exit(EXIT_FAILURE);
+ }
if(read(sock, buf, len) < 0) {
fprintf(stderr, "\nE: could not read
export name from server\n");
exit(EXIT_FAILURE);
}
+ buf[len] = 0;
printf("%s\n", buf);
}
}
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Nbd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nbd-general
