On Mon, Aug 16, 2021 at 01:50:46PM -0500, Eric Blake wrote:
https://nostarttls.secvuln.info/ pointed out a common implementation
flaw in various SMTP and IMAP servers with regards to improperly
caching plaintext state across the STARTTLS encryption boundary. It
turns out that nbdkit has the same vulnerability in regards to the NBD
protocol: an attacker is able to inject a plaintext
NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
sends to the server; if the server then acts on that plaintext request
(as nbdkit did before this patch), then the server ends up sending
structured replies to at least NBD_CMD_READ, even though the client
was not expecting them. The NBD spec has been recently tightened to
declare the nbdkit behavior to be a security hole.
---
[NB: I'm still in the process of getting a CVE assigned; there is no
embargo since the issue is already public, but I may wait to apply
this patch until the commit message can be tweaked]
---
server/protocol-handshake-newstyle.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
index a2c89c9a..7e6b7b1b 100644
--- a/server/protocol-handshake-newstyle.c
+++ b/server/protocol-handshake-newstyle.c
@@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
return -1;
conn->using_tls = true;
debug ("using TLS on this connection");
- /* Wipe out any cached default export name. */
+ /* Wipe out any cached state. */
+ conn->structured_replies = false;
for_each_backend (b) {
free (conn->default_exportname[b->i]);
conn->default_exportname[b->i] = NULL;
It's be good to either reference the nostarttls website, or
the relevant section in NBD proto.md (if it's upstream yet)
in the comment.
But yes - ACK.
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW