| From d6add35e43b45b892ad9eb015d29c0b2720001c2 Mon Sep 17 00:00:00 2001 |
| Message-Id: <d6add35e43b45b892ad9eb015d29c0b2720001c2.1377873639.git.jdenemar@redhat.com> |
| From: "Daniel P. Berrange" <berrange@redhat.com> |
| Date: Fri, 30 Aug 2013 11:16:04 +0100 |
| Subject: [PATCH] Add bounds checking on virDomainGetJobStats RPC call |
| |
| For |
| |
| https://bugzilla.redhat.com/show_bug.cgi?id=1002667 |
| |
| The return values for the virDomainGetJobStats call were not |
| bounds checked. This is a robustness issue for clients if |
| something where to cause corruption of the RPC stream data. |
| |
| Signed-off-by: Daniel P. Berrange <berrange@redhat.com> |
| (cherry picked from commit 6d7d0b1869ed293e3208d11f375cecea0129dfc5) |
| |
| daemon/remote.c | 7 +++++++ |
| src/remote/remote_driver.c | 8 ++++++++ |
| src/remote/remote_protocol.x | 5 ++++- |
| 3 files changed, 19 insertions(+), 1 deletion(-) |
| |
| diff --git a/daemon/remote.c b/daemon/remote.c |
| index a11ba94..ad78011 100644 |
| |
| |
| @@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED, |
| &nparams, args->flags) < 0) |
| goto cleanup; |
| |
| + if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) { |
| + virReportError(VIR_ERR_RPC, |
| + _("Too many job stats '%d' for limit '%d'"), |
| + nparams, REMOTE_DOMAIN_JOB_STATS_MAX); |
| + goto cleanup; |
| + } |
| + |
| if (remoteSerializeTypedParameters(params, nparams, |
| &ret->params.params_val, |
| &ret->params.params_len, |
| diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c |
| index 30f8f90..33b2b0f 100644 |
| |
| |
| @@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain, |
| (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1) |
| goto done; |
| |
| + if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) { |
| + virReportError(VIR_ERR_RPC, |
| + _("Too many job stats '%d' for limit '%d'"), |
| + ret.params.params_len, |
| + REMOTE_DOMAIN_JOB_STATS_MAX); |
| + goto cleanup; |
| + } |
| + |
| *type = ret.type; |
| |
| if (remoteDeserializeTypedParameters(ret.params.params_val, |
| diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x |
| index 4262c34..eff7e1c 100644 |
| |
| |
| @@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64; |
| /* Upper limit on migrate parameters */ |
| const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64; |
| |
| +/* Upper limit on number of job stats */ |
| +const REMOTE_DOMAIN_JOB_STATS_MAX = 16; |
| + |
| /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ |
| typedef opaque remote_uuid[VIR_UUID_BUFLEN]; |
| |
| @@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args { |
| |
| struct remote_domain_get_job_stats_ret { |
| int type; |
| - remote_typed_param params<>; |
| + remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>; |
| }; |
| |
| |
| -- |
| 1.8.3.2 |
| |