The SSH and NBD block drivers currently directly extract their runtime options from the options QDict they receive. This is bad practice and can lead to segmentation faults (which, however, will always be a NULL pointer dereference, so it should not be exploitable beyond a DoS).
This series fixes that by using QemuOpts instead (like all the other block drivers do). With this series applied, there are only two instances of "qdict_get" left in block/, both of which appear to be safe. Max Reitz (5): block/ssh: Use QemuOpts for runtime options block/nbd: Use QemuOpts for runtime options block/blkdebug: Store config filename block/nbd: Store runtime option values iotests: Test case for wrong runtime option types block/blkdebug.c | 17 +++-- block/nbd.c | 159 ++++++++++++++++++++++++++++++--------------- block/ssh.c | 77 +++++++++++++++------- tests/qemu-iotests/162 | 96 +++++++++++++++++++++++++++ tests/qemu-iotests/162.out | 17 +++++ tests/qemu-iotests/group | 1 + 6 files changed, 284 insertions(+), 83 deletions(-) create mode 100755 tests/qemu-iotests/162 create mode 100644 tests/qemu-iotests/162.out -- 2.9.2
