On 6/10/20 11:37 AM, Eric Blake wrote:
We may later want to further sanitize the user-supplied strings we
place into our error messages, such as scrubbing out control
characters, but that is less important to the CVE fix, so it can be a
later patch to the new nbd_sanitize_name.
+static char *
+nbd_sanitize_name(const char *name)
+{
+ if (strnlen(name, 80) < 80) {
+ return g_strdup(name);
+ }
+ /* XXX Should we also try to sanitize any control characters? */
+ return g_strdup_printf("%.80s...", name);
Max pointed out off-list that this can take a valid UTF-8 name from the
client and truncate it mid-character to make our reply NOT valid UTF-8,
which is a (minor) violation of the NBD protocol. We have not yet
implemented strict UTF-8 enforcement in qemu (neither our client nor
server code takes pains to only send UTF-8, nor validates that incoming
strings are valid UTF-8); and while the server would previously echo
non-UTF-8 (where the client violated protocol first), this is now a case
where the server can be coerced into violating protocol first. I guess
I may end up doing a followup patch that adds incoming validation and in
the process avoids chopping a multi-byte character, but that's just as
easy to fold in with my question about sanitizing control characters.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
