From f79b8cfc288deb39dc652a7a552f8bcb85dc1148 Mon Sep 17 00:00:00 2001 Message-Id: From: "Daniel P. Berrange" Date: Fri, 30 Aug 2013 11:16:06 +0100 Subject: [PATCH] Add bounds checking on virConnectListAllDomains RPC call For https://bugzilla.redhat.com/show_bug.cgi?id=1002667 The return values for the virConnectListAllDomains call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: Daniel P. Berrange (cherry picked from commit 9e97128ba5a1045b71b50adb23993f09628f0a24) --- daemon/remote.c | 7 +++++++ src/remote/remote_driver.c | 15 +++++++++++---- src/remote/remote_protocol.x | 15 +++++---------- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index e228cba..8289cb5 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1050,6 +1050,13 @@ remoteDispatchConnectListAllDomains(virNetServerPtr server ATTRIBUTE_UNUSED, args->flags)) < 0) goto cleanup; + if (ndomains > REMOTE_DOMAIN_LIST_MAX) { + virReportError(VIR_ERR_RPC, + _("Too many domains '%d' for limit '%d'"), + ndomains, REMOTE_DOMAIN_LIST_MAX); + goto cleanup; + } + if (doms && ndomains) { if (VIR_ALLOC_N(ret->domains.domains_val, ndomains) < 0) goto cleanup; diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 14c16f6..cd2b9a9 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1370,10 +1370,10 @@ remoteConnectListDomains(virConnectPtr conn, int *ids, int maxids) remoteDriverLock(priv); - if (maxids > REMOTE_DOMAIN_ID_LIST_MAX) { + if (maxids > REMOTE_DOMAIN_LIST_MAX) { virReportError(VIR_ERR_RPC, - _("too many remote domain IDs: %d > %d"), - maxids, REMOTE_DOMAIN_ID_LIST_MAX); + _("Too many domains '%d' for limit '%d'"), + maxids, REMOTE_DOMAIN_LIST_MAX); goto done; } args.maxids = maxids; @@ -1386,7 +1386,7 @@ remoteConnectListDomains(virConnectPtr conn, int *ids, int maxids) if (ret.ids.ids_len > maxids) { virReportError(VIR_ERR_RPC, - _("too many remote domain IDs: %d > %d"), + _("Too many domains '%d' for limit '%d'"), ret.ids.ids_len, maxids); goto cleanup; } @@ -1433,6 +1433,13 @@ remoteConnectListAllDomains(virConnectPtr conn, (char *) &ret) == -1) goto done; + if (ret.domains.domains_len > REMOTE_DOMAIN_LIST_MAX) { + virReportError(VIR_ERR_RPC, + _("Too many domains '%d' for limit '%d'"), + ret.domains.domains_len, REMOTE_DOMAIN_LIST_MAX); + goto cleanup; + } + if (domains) { if (VIR_ALLOC_N(doms, ret.domains.domains_len + 1) < 0) goto cleanup; diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 9e3918c..718e398 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -73,13 +73,8 @@ typedef string remote_nonnull_string; /* A long string, which may be NULL. */ typedef remote_nonnull_string *remote_string; -/* This just places an upper limit on the length of lists of - * domain IDs which may be sent via the protocol. - */ -const REMOTE_DOMAIN_ID_LIST_MAX = 16384; - -/* Upper limit on lists of domain names. */ -const REMOTE_DOMAIN_NAME_LIST_MAX = 16384; +/* Upper limit on lists of domains. */ +const REMOTE_DOMAIN_LIST_MAX = 16384; /* Upper limit on cpumap (bytes) passed to virDomainPinVcpu. */ const REMOTE_CPUMAP_MAX = 2048; @@ -724,7 +719,7 @@ struct remote_connect_list_domains_args { }; struct remote_connect_list_domains_ret { - int ids; /* insert@1 */ + int ids; /* insert@1 */ }; struct remote_connect_num_of_domains_ret { @@ -990,7 +985,7 @@ struct remote_connect_list_defined_domains_args { }; struct remote_connect_list_defined_domains_ret { - remote_nonnull_string names; /* insert@1 */ + remote_nonnull_string names; /* insert@1 */ }; struct remote_connect_num_of_defined_domains_ret { @@ -2665,7 +2660,7 @@ struct remote_connect_list_all_domains_args { }; struct remote_connect_list_all_domains_ret { - remote_nonnull_domain domains<>; + remote_nonnull_domain domains; unsigned int ret; }; -- 1.8.3.2