On 8/7/24 19:43, Eric Blake wrote:
v3 was here:
https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html
since then:
- re-add a minor patch from v2 (now patch 1)
- refactor how the client opaque pointer is handled (patch 2)
- add two new patches to prevent malicious clients from consuming
inordinate resources: change the default max-connections from
unlimited to capped at 100 (patch 3), and add code to kill any
client that takes longer than 10 seconds after connect to reach
NBD_OPT_GO (patch 4) [Dan]
- squash the connection list handling into a single patch (5) [Dan]
- two new additional patches for reverting back to 9.0 behavior for
integration testing purposes; I'm okay if these last two miss 9.1
Eric Blake (7):
nbd: Minor style fixes
nbd/server: Plumb in new args to nbd_client_add()
nbd/server: CVE-2024-7409: Change default max-connections to 100
nbd/server: CVE-2024-7409: Drop non-negotiating clients
nbd/server: CVE-2024-7409: Close stray client sockets at shutdown
qemu-nbd: Allow users to adjust handshake limit
nbd/server: Allow users to adjust handshake limit in QMP
docs/tools/qemu-nbd.rst | 5 +++
qapi/block-export.json | 18 +++++++---
include/block/nbd.h | 20 +++++++++--
block/monitor/block-hmp-cmds.c | 3 +-
blockdev-nbd.c | 62 +++++++++++++++++++++++++++++++---
nbd/server.c | 51 +++++++++++++++++++++++++---
qemu-nbd.c | 44 ++++++++++++++++--------
nbd/trace-events | 1 +
8 files changed, 173 insertions(+), 31 deletions(-)
should this go to stable too? 7.5 score is high enough.
We have had CVE-2024-4467
<https://security-tracker.debian.org/tracker/CVE-2024-4467> with 7.8
merged to stables too.
Den
