From 89ef17c90996c0e212e3a17c8d26ff930ab464ea Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Mon, 16 Aug 2021 13:43:29 -0500 Subject: [PATCH] server: reset meta context replies on starttls Related to CVE-2021-3716, but not as severe. No compliant client will send NBD_CMD_BLOCK_STATUS unless it first negotiates NBD_OPT_SET_META_CONTEXT. If an attacker injects a premature SET_META_CONTEXT, either the client will never notice (because it never uses BLOCK_STATUS), or the client will overwrite the attacker's attempt with the client's own SET_META_CONTEXT request after encryption is enabled. So I don't class this as having the potential to trigger denial-of-service due to any protocol mismatch between compliant client and server (I don't care what happens with non-compliant clients). Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".) (cherry picked from commit 6c5faac6a37077cf2366388a80862bb00616d0d8) --- server/protocol-handshake-newstyle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c index 7e6b7b1b..79b2c8ce 100644 --- a/server/protocol-handshake-newstyle.c +++ b/server/protocol-handshake-newstyle.c @@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void) debug ("using TLS on this connection"); /* Wipe out any cached state. */ conn->structured_replies = false; + free (conn->exportname_from_set_meta_context); + conn->exportname_from_set_meta_context = NULL; + conn->meta_context_base_allocation = false; for_each_backend (b) { free (conn->default_exportname[b->i]); conn->default_exportname[b->i] = NULL; -- 2.31.1