From dfbf1f6f34dfef111120438d9c4e2f75f20b4578 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@fb.com>
Date: Mon, 14 Apr 2014 11:43:47 -0600
Subject: [PATCH] server: sanity check incoming command size (and payload)

Signed-off-by: Jens Axboe <axboe@fb.com>
---
 server.c | 16 ++++++++++++++--
 server.h |  1 +
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/server.c b/server.c
index 1c4c494a..f65f3abf 100644
--- a/server.c
+++ b/server.c
@@ -208,7 +208,7 @@ static int verify_convert_cmd(struct fio_net_cmd *cmd)
  */
 struct fio_net_cmd *fio_net_recv_cmd(int sk)
 {
-	struct fio_net_cmd cmd, *cmdret = NULL;
+	struct fio_net_cmd cmd, *tmp, *cmdret = NULL;
 	size_t cmd_size = 0, pdu_offset = 0;
 	uint16_t crc;
 	int ret, first = 1;
@@ -231,7 +231,19 @@ struct fio_net_cmd *fio_net_recv_cmd(int sk)
 		} else
 			cmd_size += cmd.pdu_len;
 
-		cmdret = realloc(cmdret, cmd_size);
+		if (cmd_size / 1024 > FIO_SERVER_MAX_CMD_MB * 1024) {
+			log_err("fio: cmd+pdu too large (%llu)\n", (unsigned long long) cmd_size);
+			ret = 1;
+			break;
+		}
+
+		tmp = realloc(cmdret, cmd_size);
+		if (!tmp) {
+			log_err("fio: server failed allocating cmd\n");
+			ret = 1;
+			break;
+		}
+		cmdret = tmp;
 
 		if (first)
 			memcpy(cmdret, &cmd, sizeof(cmd));
diff --git a/server.h b/server.h
index 3a279f0b..2958e730 100644
--- a/server.h
+++ b/server.h
@@ -41,6 +41,7 @@ enum {
 	FIO_SERVER_VER			= 33,
 
 	FIO_SERVER_MAX_FRAGMENT_PDU	= 1024,
+	FIO_SERVER_MAX_CMD_MB		= 2048,
 
 	FIO_NET_CMD_QUIT		= 1,
 	FIO_NET_CMD_EXIT		= 2,
-- 
2.25.1