From: Wouter Verhelst <w@uter.be>
Date: Thu, 27 Jan 2011 21:30:09 +0000 (+0100)
Subject: Fix buffer size checking
X-Git-Url: http://git.alex.org.uk

Fix buffer size checking

Yes, this means we've re-introduced CVE-2005-3534. Sigh.
---

diff --git a/nbd-server.c b/nbd-server.c
index 820458c..b47da86 100644
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -150,7 +150,7 @@ gboolean do_oldstyle=FALSE;
 #define OFFT_MAX ~((off_t)1<<(sizeof(off_t)*8-1))
 #define LINELEN 256	  /**< Size of static buffer used to read the
 			       authorization file (yuck) */
-#define BUFSIZE (1024*1024) /**< Size of buffer that can hold requests */
+#define BUFSIZE ((1024*1024)+sizeof(struct nbd_reply)) /**< Size of buffer that can hold requests */
 #define DIFFPAGESIZE 4096 /**< diff file uses those chunks */
 #define F_READONLY 1      /**< flag to tell us a file is readonly */
 #define F_MULTIFILE 2	  /**< flag to tell us a file is exported using -m */
@@ -1389,7 +1389,7 @@ int mainloop(CLIENT *client) {
 
 		if (request.magic != htonl(NBD_REQUEST_MAGIC))
 			err("Not enough magic.");
-		if (len > BUFSIZE + sizeof(struct nbd_reply))
+		if (len > BUFSIZE - sizeof(struct nbd_reply))
 			err("Request too big!");
 #ifdef DODBG
 		printf("%s from %llu (%llu) len %d, ", request.type ? "WRITE" :