Impact
In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.
NOTE: support for the NBD_OPT_INFO and NBD_OPT_GO messages was added with NBD 3.16, so the problem is only partially present in versions older than 3.16.
Patches
The issue was fixed with NBD 3.24.
Workarounds
There are no known workarounds.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
For more information
If you have any questions or comments about this advisory:
Impact
In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.
NOTE: support for the NBD_OPT_INFO and NBD_OPT_GO messages was added with NBD 3.16, so the problem is only partially present in versions older than 3.16.
Patches
The issue was fixed with NBD 3.24.
Workarounds
There are no known workarounds.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
For more information
If you have any questions or comments about this advisory: