In nbd-server in nbd prior to 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
network block device project network block device |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
fedoraproject fedora 34 |
||
fedoraproject fedora 35 |
||
fedoraproject fedora 36 |