From dd3e8ac413a74a58d6a3ba16a26952f84370fcff Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 12 Mar 2012 15:23:13 +0100 Subject: [PATCH] nbd: avoid out of bounds access to recv_coroutine array This can happen with a buggy or malicious server. Reported-by: Michael Tokarev Signed-off-by: Paolo Bonzini --- block/nbd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/block/nbd.c b/block/nbd.c index 161b299855..9972cdb655 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -150,7 +150,7 @@ static int nbd_have_request(void *opaque) static void nbd_reply_ready(void *opaque) { BDRVNBDState *s = opaque; - int i; + uint64_t i; if (s->reply.handle == 0) { /* No reply already in flight. Fetch a header. */ @@ -164,6 +164,10 @@ static void nbd_reply_ready(void *opaque) * handler acts as a synchronization point and ensures that only * one coroutine is called until the reply finishes. */ i = HANDLE_TO_INDEX(s, s->reply.handle); + if (i >= MAX_NBD_REQUESTS) { + goto fail; + } + if (s->recv_coroutine[i]) { qemu_coroutine_enter(s->recv_coroutine[i], NULL); return;