41 lines
1.8 KiB
Diff
41 lines
1.8 KiB
Diff
From add9b794b9dc697a1b52115c997fcfb6e06bf64c Mon Sep 17 00:00:00 2001
|
|
From: Eric Blake <eblake@redhat.com>
|
|
Date: Mon, 16 Aug 2021 13:43:29 -0500
|
|
Subject: [PATCH] server: reset meta context replies on starttls
|
|
|
|
Related to CVE-2021-3716, but not as severe. No compliant client will
|
|
send NBD_CMD_BLOCK_STATUS unless it first negotiates
|
|
NBD_OPT_SET_META_CONTEXT. If an attacker injects a premature
|
|
SET_META_CONTEXT, either the client will never notice (because it
|
|
never uses BLOCK_STATUS), or the client will overwrite the attacker's
|
|
attempt with the client's own SET_META_CONTEXT request after
|
|
encryption is enabled. So I don't class this as having the potential
|
|
to trigger denial-of-service due to any protocol mismatch between
|
|
compliant client and server (I don't care what happens with
|
|
non-compliant clients).
|
|
|
|
Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".)
|
|
(cherry picked from commit 6c5faac6a37077cf2366388a80862bb00616d0d8)
|
|
(cherry picked from commit 814d8103fb4b581dc01dfd25d2cd81596576f211)
|
|
---
|
|
server/protocol-handshake-newstyle.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
|
|
index b94950e2..eb0f3961 100644
|
|
--- a/server/protocol-handshake-newstyle.c
|
|
+++ b/server/protocol-handshake-newstyle.c
|
|
@@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void)
|
|
debug ("using TLS on this connection");
|
|
/* Wipe out any cached state. */
|
|
conn->structured_replies = false;
|
|
+ free (conn->exportname_from_set_meta_context);
|
|
+ conn->exportname_from_set_meta_context = NULL;
|
|
+ conn->meta_context_base_allocation = false;
|
|
for_each_backend (b) {
|
|
struct handle *h = get_handle (conn, b->i);
|
|
free (h->default_exportname);
|
|
--
|
|
2.31.1
|
|
|