Integer Overflow in nbd-client.c:421

[chenaotian]

https://github.com/NetworkBlockDevice/nbd/blob/4697b68efc0781ef0dd7bdc92229d399091fde51/nbd-client.c#L409-L422

In line 421, the retval->datasize is type uint32_t data that from socket, which is unsafe data. And the second parameter of realloc is also type unsigned int, so sizeof ( struct reply) + retval-> datasize whill overflow if retval->datasize big enough. Although the vulnerability is in the client, if the server is controlled by attacker, there will be Integer Overflow.