From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 29 Nov 2017 09:39:55 +0100
Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M

Backported-from: fdad35ef6c58
---
 nbd/server.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nbd/server.c b/nbd/server.c
index a98bb21a0a..4d6da8ac06 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
         }
         length = be32_to_cpu(length);
 
+        if (length > NBD_MAX_BUFFER_SIZE) {
+            LOG("len (%" PRIu32" ) is larger than max len (%u)",
+                length, NBD_MAX_BUFFER_SIZE);
+            return -EINVAL;
+        }
+
         TRACE("Checking option 0x%" PRIx32, clientflags);
         if (client->tlscreds &&
             client->ioc == (QIOChannel *)client->sioc) {
-- 
2.11.0