BUG: oversized 64b offset wrap not detected when offset + len > 64bit and thus wraps

author folkert <folkert@vanheusden.com>

Tue, 5 Mar 2013 09:23:31 +0000 (10:23 +0100)

committer Wouter Verhelst <w@uter.be>

Wed, 6 Mar 2013 12:09:57 +0000 (13:09 +0100)
author folkert <folkert@vanheusden.com>
Tue, 5 Mar 2013 09:23:31 +0000 (10:23 +0100)
committer Wouter Verhelst <w@uter.be>
Wed, 6 Mar 2013 12:09:57 +0000 (13:09 +0100)
diff --git a/nbd-server.c b/nbd-server.c

index f1f48bd..1755ae8 100644 (file)
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -1770,6 +1770,12 @@ int mainloop(CLIENT *client) {
                                 continue;
                         }
  
+                       if (request.from + len < request.from) { // 64 bit overflow!!
+                               DEBUG("[RANGE!]");
+                               ERROR(client, reply, EINVAL);
+                               continue;
+                       }
+
                         if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
                                 DEBUG("[RANGE!]");
                                 ERROR(client, reply, EINVAL);
author	folkert <folkert@vanheusden.com>
	Tue, 5 Mar 2013 09:23:31 +0000 (10:23 +0100)
committer	Wouter Verhelst <w@uter.be>
	Wed, 6 Mar 2013 12:09:57 +0000 (13:09 +0100)