Fix CVE-2022-26495: In nbd-server in nbd before 3.24, there is an
integer overflow with a resultant heap-based buffer overflow. A value of
0xffffffff in the name length field will cause a zero-sized buffer to be
allocated for the name, resulting in a write to a dangling pointer. This
issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME
messages.
Fix CVE-2022-26496: In nbd-server in nbd before 3.24, there is a
stack-based buffer overflow. An attacker can cause a buffer overflow in
the parsing of the name field by sending a crafted NBD_OPT_INFO or
NBD_OPT_GO message with an large value as the length of the name.
https://github.com/NetworkBlockDevice/nbd/compare/nbd-3.21...nbd-3.24
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
bf2e459bb9