Stack Overflow in nbd-client.c: 501

NetworkBlockDevice / nbd

Network Block Device

GNU General Public License v2.0

459 stars 119 forks source link

Closed chenaotian closed 1 year ago

chenaotian commented 2 years ago

data len is read from sock in line 451 :

if(read(sock, &len, sizeof(len)) < 0) {

So the len is unsafe data, however, when it is used as the length of the read data, it is not verified in line 501:

if(len > 0) { 
    if(read(sock, buf, len) < 0) {

buf is a stack data, so if len is bigger than BUF_SIZE, it will cause stack overflow.

yoe commented 1 year ago

This is incorrect.

Line 469 has:

if(len > 0 && len < BUF_SIZE) {

where stuff is handled, and then at 476 we do:

} exit(EXIT_FAILURE)

So if len > BUF_SIZE, we exit on line 477 and we never get to line 501.

So this is not a bug.

Sorry it took so long, but closing as invalid.