[pve-qemu.git] / debian / patches / extra / 0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 29 Nov 2017 09:39:55 +0100
Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M

Backported-from: fdad35ef6c58
---
 nbd/server.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nbd/server.c b/nbd/server.c
index a98bb21a0a..4d6da8ac06 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
         }
         length = be32_to_cpu(length);
 
+        if (length > NBD_MAX_BUFFER_SIZE) {
+            LOG("len (%" PRIu32" ) is larger than max len (%u)",
+                length, NBD_MAX_BUFFER_SIZE);
+            return -EINVAL;
+        }
+
         TRACE("Checking option 0x%" PRIx32, clientflags);
         if (client->tlscreds &&
             client->ioc == (QIOChannel *)client->sioc) {
-- 
2.11.0
Commit	Line	Data
3dcc8d3b	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c53dfb57 WB	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
c53dfb57 WB	3	Date: Wed, 29 Nov 2017 09:39:55 +0100
3dcc8d3b	4	Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M
c53dfb57 WB	5
	6	Backported-from: fdad35ef6c58
	7	---
	8	nbd/server.c \| 6 ++++++
	9	1 file changed, 6 insertions(+)
	10
	11	diff --git a/nbd/server.c b/nbd/server.c
	12	index a98bb21a0a..4d6da8ac06 100644
	13	--- a/nbd/server.c
	14	+++ b/nbd/server.c
	15	@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
	16	}
	17	length = be32_to_cpu(length);
	18
	19	+ if (length > NBD_MAX_BUFFER_SIZE) {
	20	+ LOG("len (%" PRIu32" ) is larger than max len (%u)",
	21	+ length, NBD_MAX_BUFFER_SIZE);
	22	+ return -EINVAL;
	23	+ }
	24	+
	25	TRACE("Checking option 0x%" PRIx32, clientflags);
	26	if (client->tlscreds &&
	27	client->ioc == (QIOChannel *)client->sioc) {
	28	--
	29	2.11.0
	30