From 6d9223e10938aee257dc73024ae13440f9b7726a Mon Sep 17 00:00:00 2001
From: folkert <folkert@vanheusden.com>
Date: Tue, 5 Mar 2013 10:23:31 +0100
Subject: [PATCH] BUG: oversized 64b offset wrap not detected when offset + len
 > 64bit and thus wraps

if:
	offset = 64bit - 2KB
	len = 4KB
then the server will allow the read/write because the check
	if (((ssize_t)((off_t)request.from + len) > client->exportsize))
will never trigger as client->exportsize will be compared with... offset
2KB!
---
 nbd-server.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nbd-server.c b/nbd-server.c
index f1f48bd..1755ae8 100644
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -1770,6 +1770,12 @@ int mainloop(CLIENT *client) {
 				continue;
 			}
 
+			if (request.from + len < request.from) { // 64 bit overflow!!
+				DEBUG("[RANGE!]");
+				ERROR(client, reply, EINVAL);
+				continue;
+			}
+
 			if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
 				DEBUG("[RANGE!]");
 				ERROR(client, reply, EINVAL);
-- 
2.34.1