diff options
author | Paolo Bonzini | 2011-09-19 15:07:54 +0200 |
---|---|---|
committer | Paolo Bonzini | 2011-12-22 11:53:58 +0100 |
commit | a030b347aaa84e2d1b42c9cb2bc9e2d8bec50046 (patch) | |
tree | c157c24d0933033aec89861c1f8e1c1ad3efc3d0 | |
parent | qemu-nbd: more robust handling of invalid requests (diff) | |
download | qemu-a030b347aaa84e2d1b42c9cb2bc9e2d8bec50046.tar.gz qemu-a030b347aaa84e2d1b42c9cb2bc9e2d8bec50046.tar.xz qemu-a030b347aaa84e2d1b42c9cb2bc9e2d8bec50046.zip |
qemu-nbd: introduce nbd_do_receive_request
Group the receiving of a response and the associated data into a new function.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r-- | nbd.c | 68 |
1 files changed, 47 insertions, 21 deletions
@@ -611,6 +611,47 @@ static int nbd_do_send_reply(int csock, struct nbd_reply *reply, return rc; } +static int nbd_do_receive_request(int csock, struct nbd_request *request, + uint8_t *data) +{ + int rc; + + if (nbd_receive_request(csock, request) == -1) { + rc = -EIO; + goto out; + } + + if (request->len > NBD_BUFFER_SIZE) { + LOG("len (%u) is larger than max len (%u)", + request->len, NBD_BUFFER_SIZE); + rc = -EINVAL; + goto out; + } + + if ((request->from + request->len) < request->from) { + LOG("integer overflow detected! " + "you're probably being attacked"); + rc = -EINVAL; + goto out; + } + + TRACE("Decoding type"); + + if ((request->type & NBD_CMD_MASK_COMMAND) == NBD_CMD_WRITE) { + TRACE("Reading %u byte(s)", request->len); + + if (read_sync(csock, data, request->len) != request->len) { + LOG("reading from socket failed"); + rc = -EIO; + goto out; + } + } + rc = 0; + +out: + return rc; +} + int nbd_trip(BlockDriverState *bs, int csock, off_t size, uint64_t dev_offset, uint32_t nbdflags, uint8_t *data) @@ -621,22 +662,17 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, TRACE("Reading request."); - if (nbd_receive_request(csock, &request) == -1) + ret = nbd_do_receive_request(csock, &request, data); + if (ret == -EIO) { return -1; + } reply.handle = request.handle; reply.error = 0; - if (request.len > NBD_BUFFER_SIZE) { - LOG("len (%u) is larger than max len (%u)", - request.len, NBD_BUFFER_SIZE); - goto invalid_request; - } - - if ((request.from + request.len) < request.from) { - LOG("integer overflow detected! " - "you're probably being attacked"); - goto invalid_request; + if (ret < 0) { + reply.error = -ret; + goto error_reply; } if ((request.from + request.len) > size) { @@ -647,8 +683,6 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, goto invalid_request; } - TRACE("Decoding type"); - switch (request.type & NBD_CMD_MASK_COMMAND) { case NBD_CMD_READ: TRACE("Request type is READ"); @@ -668,14 +702,6 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, case NBD_CMD_WRITE: TRACE("Request type is WRITE"); - TRACE("Reading %u byte(s)", request.len); - - if (read_sync(csock, data, request.len) != request.len) { - LOG("reading from socket failed"); - errno = EINVAL; - return -1; - } - if (nbdflags & NBD_FLAG_READ_ONLY) { TRACE("Server is read-only, return error"); reply.error = EROFS; |