In line 421, the retval->datasize is type uint32_t data that from socket, which is unsafe data. And the second parameter of realloc is also type unsigned int, so sizeof ( struct reply) + retval-> datasize whill overflow if retval->datasize big enough. Although the vulnerability is in the client, if the server is controlled by attacker, there will be Integer Overflow.
https://github.com/NetworkBlockDevice/nbd/blob/4697b68efc0781ef0dd7bdc92229d399091fde51/nbd-client.c#L409-L422
In line 421, the
retval->datasizeis type uint32_t data that from socket, which is unsafe data. And the second parameter of realloc is also type unsigned int, sosizeof ( struct reply) + retval-> datasizewhill overflow ifretval->datasizebig enough. Although the vulnerability is in the client, if the server is controlled by attacker, there will be Integer Overflow.