|
 |
43fe83 |
From d6add35e43b45b892ad9eb015d29c0b2720001c2 Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <d6add35e43b45b892ad9eb015d29c0b2720001c2.1377873639.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
43fe83 |
Date: Fri, 30 Aug 2013 11:16:04 +0100
|
|
|
43fe83 |
Subject: [PATCH] Add bounds checking on virDomainGetJobStats RPC call
|
|
|
43fe83 |
|
|
|
43fe83 |
For
|
|
|
43fe83 |
|
|
|
43fe83 |
https://bugzilla.redhat.com/show_bug.cgi?id=1002667
|
|
|
43fe83 |
|
|
|
43fe83 |
The return values for the virDomainGetJobStats call were not
|
|
|
43fe83 |
bounds checked. This is a robustness issue for clients if
|
|
|
43fe83 |
something where to cause corruption of the RPC stream data.
|
|
|
43fe83 |
|
|
|
43fe83 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
43fe83 |
(cherry picked from commit 6d7d0b1869ed293e3208d11f375cecea0129dfc5)
|
|
|
43fe83 |
---
|
|
|
43fe83 |
daemon/remote.c | 7 +++++++
|
|
|
43fe83 |
src/remote/remote_driver.c | 8 ++++++++
|
|
|
43fe83 |
src/remote/remote_protocol.x | 5 ++++-
|
|
|
43fe83 |
3 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/daemon/remote.c b/daemon/remote.c
|
|
|
43fe83 |
index a11ba94..ad78011 100644
|
|
|
43fe83 |
--- a/daemon/remote.c
|
|
|
43fe83 |
+++ b/daemon/remote.c
|
|
|
43fe83 |
@@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|
|
43fe83 |
&nparams, args->flags) < 0)
|
|
|
43fe83 |
goto cleanup;
|
|
|
43fe83 |
|
|
|
43fe83 |
+ if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) {
|
|
|
43fe83 |
+ virReportError(VIR_ERR_RPC,
|
|
|
43fe83 |
+ _("Too many job stats '%d' for limit '%d'"),
|
|
|
43fe83 |
+ nparams, REMOTE_DOMAIN_JOB_STATS_MAX);
|
|
|
43fe83 |
+ goto cleanup;
|
|
|
43fe83 |
+ }
|
|
|
43fe83 |
+
|
|
|
43fe83 |
if (remoteSerializeTypedParameters(params, nparams,
|
|
|
43fe83 |
&ret->params.params_val,
|
|
|
43fe83 |
&ret->params.params_len,
|
|
|
43fe83 |
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
|
|
|
43fe83 |
index 30f8f90..33b2b0f 100644
|
|
|
43fe83 |
--- a/src/remote/remote_driver.c
|
|
|
43fe83 |
+++ b/src/remote/remote_driver.c
|
|
|
43fe83 |
@@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain,
|
|
|
43fe83 |
(xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1)
|
|
|
43fe83 |
goto done;
|
|
|
43fe83 |
|
|
|
43fe83 |
+ if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) {
|
|
|
43fe83 |
+ virReportError(VIR_ERR_RPC,
|
|
|
43fe83 |
+ _("Too many job stats '%d' for limit '%d'"),
|
|
|
43fe83 |
+ ret.params.params_len,
|
|
|
43fe83 |
+ REMOTE_DOMAIN_JOB_STATS_MAX);
|
|
|
43fe83 |
+ goto cleanup;
|
|
|
43fe83 |
+ }
|
|
|
43fe83 |
+
|
|
|
43fe83 |
*type = ret.type;
|
|
|
43fe83 |
|
|
|
43fe83 |
if (remoteDeserializeTypedParameters(ret.params.params_val,
|
|
|
43fe83 |
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
|
|
|
43fe83 |
index 4262c34..eff7e1c 100644
|
|
|
43fe83 |
--- a/src/remote/remote_protocol.x
|
|
|
43fe83 |
+++ b/src/remote/remote_protocol.x
|
|
|
43fe83 |
@@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
|
|
|
43fe83 |
/* Upper limit on migrate parameters */
|
|
|
43fe83 |
const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
|
|
|
43fe83 |
|
|
|
43fe83 |
+/* Upper limit on number of job stats */
|
|
|
43fe83 |
+const REMOTE_DOMAIN_JOB_STATS_MAX = 16;
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */
|
|
|
43fe83 |
typedef opaque remote_uuid[VIR_UUID_BUFLEN];
|
|
|
43fe83 |
|
|
|
43fe83 |
@@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args {
|
|
|
43fe83 |
|
|
|
43fe83 |
struct remote_domain_get_job_stats_ret {
|
|
|
43fe83 |
int type;
|
|
|
43fe83 |
- remote_typed_param params<>;
|
|
|
43fe83 |
+ remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>;
|
|
|
43fe83 |
};
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.3.2
|
|
|
43fe83 |
|