From d6add35e43b45b892ad9eb015d29c0b2720001c2 Mon Sep 17 00:00:00 2001 Message-Id: From: "Daniel P. Berrange" Date: Fri, 30 Aug 2013 11:16:04 +0100 Subject: [PATCH] Add bounds checking on virDomainGetJobStats RPC call For https://bugzilla.redhat.com/show_bug.cgi?id=1002667 The return values for the virDomainGetJobStats call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: Daniel P. Berrange (cherry picked from commit 6d7d0b1869ed293e3208d11f375cecea0129dfc5) --- daemon/remote.c | 7 +++++++ src/remote/remote_driver.c | 8 ++++++++ src/remote/remote_protocol.x | 5 ++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/daemon/remote.c b/daemon/remote.c index a11ba94..ad78011 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED, &nparams, args->flags) < 0) goto cleanup; + if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) { + virReportError(VIR_ERR_RPC, + _("Too many job stats '%d' for limit '%d'"), + nparams, REMOTE_DOMAIN_JOB_STATS_MAX); + goto cleanup; + } + if (remoteSerializeTypedParameters(params, nparams, &ret->params.params_val, &ret->params.params_len, diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 30f8f90..33b2b0f 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain, (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1) goto done; + if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) { + virReportError(VIR_ERR_RPC, + _("Too many job stats '%d' for limit '%d'"), + ret.params.params_len, + REMOTE_DOMAIN_JOB_STATS_MAX); + goto cleanup; + } + *type = ret.type; if (remoteDeserializeTypedParameters(ret.params.params_val, diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 4262c34..eff7e1c 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64; /* Upper limit on migrate parameters */ const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64; +/* Upper limit on number of job stats */ +const REMOTE_DOMAIN_JOB_STATS_MAX = 16; + /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ typedef opaque remote_uuid[VIR_UUID_BUFLEN]; @@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args { struct remote_domain_get_job_stats_ret { int type; - remote_typed_param params<>; + remote_typed_param params; }; -- 1.8.3.2