In qemu 4.2, I accidentally introduced the ability for an NBD client obeying the specification to kill qemu as NBD server with an assertion failure when the client requests an unusually long export name, as a regression from the intended graceful server error message back to the client. Given that the DoS security hole can be mitigated by requiring TLS (and a client with TLS credentials is less likely to play such games), the plan is to make the issue public today and send a pull request through my NBD tree on Tuesday.
We may still want to revisit whether the block layer caps display names to 4095 bytes, or whether it should track a malloc'd name even when that name exceeds 4k. Eric Blake (2): nbd/server: Avoid long error message assertions CVE-2020-10761 block: Call attention to truncation of long NBD exports block.c | 7 +++++-- block/nbd.c | 21 +++++++++++++-------- nbd/server.c | 28 +++++++++++++++++++++++++--- tests/qemu-iotests/143 | 4 ++++ tests/qemu-iotests/143.out | 2 ++ 5 files changed, 49 insertions(+), 13 deletions(-) -- 2.27.0