block/export: fix vhost-user-blk get_config() information leak

Refuse get_config() requests in excess of sizeof(struct virtio_blk_config). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20201027173528.213464-5-stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
author: Stefan Hajnoczi 2020-10-27 18:35:20 +0100
committer: Michael S. Tsirkin 2020-11-03 22:39:05 +0100
commit: f8ffcb2bda22bad8e91da70c28ec52724a054f92 (patch)
tree: b4edd4a9702c55b847b4e45e7481198a86c55488 /block/export
parent: block/export: make vhost-user-blk config space little-endian (diff)
download: qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.tar.gz
qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.tar.xz
qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
index 33cc0818b8..62672d1cb9 100644
--- a/block/export/vhost-user-blk-server.c
+++ b/block/export/vhost-user-blk-server.c
@@ -266,6 +266,9 @@ vu_blk_get_config(VuDev *vu_dev, uint8_t *config, uint32_t len)
 {
     VuServer *server = container_of(vu_dev, VuServer, vu_dev);
     VuBlkExport *vexp = container_of(server, VuBlkExport, vu_server);
+
+    g_return_val_if_fail(len <= sizeof(struct virtio_blk_config), -1);
+
     memcpy(config, &vexp->blkcfg, len);
     return 0;
 }
author	Stefan Hajnoczi	2020-10-27 18:35:20 +0100
committer	Michael S. Tsirkin	2020-11-03 22:39:05 +0100
commit	f8ffcb2bda22bad8e91da70c28ec52724a054f92 (patch)
tree	b4edd4a9702c55b847b4e45e7481198a86c55488 /block/export
parent	block/export: make vhost-user-blk config space little-endian (diff)
download	qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.tar.gz qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.tar.xz qemu-f8ffcb2bda22bad8e91da70c28ec52724a054f92.zip