Stack Overflow in nbd-client.c: 501

[chenaotian]

https://github.com/NetworkBlockDevice/nbd/blob/4697b68efc0781ef0dd7bdc92229d399091fde51/nbd-client.c#L440-L501

data len is read from sock in line 451 :

if(read(sock, &len, sizeof(len)) < 0) { 

So the len is unsafe data, however, when it is used as the length of the read data, it is not verified in line 501:

if(len > 0) { 
    if(read(sock, buf, len) < 0) { 

buf is a stack data, so if len is bigger than BUF_SIZE, it will cause stack overflow.