nbd
nbd copied to clipboard
Stack Overflow in nbd-client.c: 501
https://github.com/NetworkBlockDevice/nbd/blob/4697b68efc0781ef0dd7bdc92229d399091fde51/nbd-client.c#L440-L501
data len
is read from sock in line 451 :
if(read(sock, &len, sizeof(len)) < 0) {
So the len
is unsafe data, however, when it is used as the length of the read data, it is not verified in line 501:
if(len > 0) {
if(read(sock, buf, len) < 0) {
buf
is a stack data, so if len is bigger than BUF_SIZE
, it will cause stack overflow.