[Libguestfs] [libnbd PATCH 2/4] states: Reject payload to NBD_REP_ACK

The protocol says NBD_REP_ACK should be sent without payload. Enforce this. --- generator/states-newstyle-opt-go.c | 5 +++++ generator/states-newstyle-opt-set-meta-context.c | 5 +++++ generator/states-newstyle-opt-structured-reply.c | 6 ++++++ 3 files changed, 16 insertions(+) diff --git a/generator/states-newstyle-opt-go.c b/generator/states-newstyle-opt-go.c index 6a7b3af..200d16f 100644 --- a/generator/states-newstyle-opt-go.c +++ b/generator/states-newstyle-opt-go.c @@ -118,6 +118,11 @@ } switch (reply) { case NBD_REP_ACK: + if (len != 0) { + SET_NEXT_STATE (%.DEAD); + set_error (0, "handshake: invalid option reply length"); + return -1; + } SET_NEXT_STATE (%.READY); return 0; case NBD_REP_INFO: diff --git a/generator/states-newstyle-opt-set-meta-context.c b/generator/states-newstyle-opt-set-meta-context.c index fdc0500..5a445b2 100644 --- a/generator/states-newstyle-opt-set-meta-context.c +++ b/generator/states-newstyle-opt-set-meta-context.c @@ -133,6 +133,11 @@ const char base_allocation[] = "base:allocation"; } switch (reply) { case NBD_REP_ACK: /* End of list of replies. */ + if (len != 0) { + SET_NEXT_STATE (%.DEAD); + set_error (0, "handshake: invalid option reply length"); + return -1; + } SET_NEXT_STATE (%FINISH); break; case NBD_REP_META_CONTEXT: /* A context. */ diff --git a/generator/states-newstyle-opt-structured-reply.c b/generator/states-newstyle-opt-structured-reply.c index 56335fd..91acdcc 100644 --- a/generator/states-newstyle-opt-structured-reply.c +++ b/generator/states-newstyle-opt-structured-reply.c @@ -74,10 +74,16 @@ } switch (reply) { case NBD_REP_ACK: + if (conn->sbuf.or.option_reply.replylen != 0) { + SET_NEXT_STATE (%.DEAD); + set_error (0, "handshake: invalid option reply length"); + return -1; + } debug (conn->h, "negotiated structured replies on this connection"); conn->structured_replies = true; break; default: + /* XXX: capture instead of skip server's payload to NBD_REP_ERR*? */ debug (conn->h, "structured replies are not supported by this server"); conn->structured_replies = false; break; -- 2.20.1