rpms / spice-vdagent

Clone
Source Code
GIT

Blame SOURCES/0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f8004d2e4df4144faaf1ad4805ddd416ae1cd679
  2.   SOURCES
  3.   0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch
Blob History Raw
39f53b 
From 956608c1344f185e39294004b64906a7e1b5c14c Mon Sep 17 00:00:00 2001
39f53b 
From: Frediano Ziglio <freddy77@gmail.com>
39f53b 
Date: Sat, 19 Sep 2020 15:13:42 +0100
39f53b 
Subject: [PATCH vd_agent_linux 10/17] Avoids unchecked file transfer IDs
39f53b 
 allocation and usage
39f53b
39f53b 
Avoid agents allocating file transfers.
39f53b 
The "active_xfers" entries are now inserted when client start sending
39f53b 
files.
39f53b 
Also different agents cannot mess with other agent transfers as a
39f53b 
transfer is bound to a single agent.
39f53b
39f53b 
This issue was reported by SUSE security team.
39f53b
39f53b 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
39f53b 
Acked-by: Uri Lublin <uril@redhat.com>
39f53b 
---
39f53b 
 src/vdagentd/vdagentd.c | 28 ++++++++++++++++++++++------
39f53b 
 1 file changed, 22 insertions(+), 6 deletions(-)
39f53b
39f53b 
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
39f53b 
index eddfcf6..8961a99 100644
39f53b 
--- a/src/vdagentd/vdagentd.c
39f53b 
+++ b/src/vdagentd/vdagentd.c
39f53b 
@@ -381,9 +381,11 @@ static void do_client_file_xfer(VirtioPort *vport,
39f53b 
                s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
39f53b 
             return;
39f53b 
         }
39f53b 
-        udscs_write(active_session_conn, VDAGENTD_FILE_XFER_START, 0, 0,
39f53b 
-                    data, message_header->size);
39f53b 
-        return;
39f53b 
+        msg_type = VDAGENTD_FILE_XFER_START;
39f53b 
+        id = s->id;
39f53b 
+        // associate the id with the active connection
39f53b 
+        g_hash_table_insert(active_xfers, GUINT_TO_POINTER(id), active_session_conn);
39f53b 
+        break;
39f53b 
     }
39f53b 
     case VD_AGENT_FILE_XFER_STATUS: {
39f53b 
         VDAgentFileXferStatusMessage *s = (VDAgentFileXferStatusMessage *)data;
39f53b 
@@ -408,6 +410,12 @@ static void do_client_file_xfer(VirtioPort *vport,
39f53b 
         return;
39f53b 
     }
39f53b 
     udscs_write(conn, msg_type, 0, 0, data, message_header->size);
39f53b 
+
39f53b 
+    // client told that transfer is ended, agents too stop the transfer
39f53b 
+    // and release resources
39f53b 
+    if (message_header->type == VD_AGENT_FILE_XFER_STATUS) {
39f53b 
+        g_hash_table_remove(active_xfers, GUINT_TO_POINTER(id));
39f53b 
+    }
39f53b 
 }
39f53b
39f53b 
 static void forward_data_to_session_agent(uint32_t type, uint8_t *data, size_t size)
39f53b 
@@ -1015,6 +1023,15 @@ static void do_agent_file_xfer_status(UdscsConnection             *conn,
39f53b 
     const gchar *log_msg = NULL;
39f53b 
     guint data_size = 0;
39f53b
39f53b 
+    UdscsConnection *task_conn = g_hash_table_lookup(active_xfers, task_id);
39f53b 
+    if (task_conn == NULL || task_conn != conn) {
39f53b 
+        // Protect against misbehaving agent.
39f53b 
+        // Ignore the message, but do not disconnect the agent, to protect against
39f53b 
+        // a misbehaving client that tries to disconnect a good agent
39f53b 
+        // e.g. by sending a new task and immediately cancelling it.
39f53b 
+        return;
39f53b 
+    }
39f53b 
+
39f53b 
     /* header->arg1 = file xfer task id, header->arg2 = file xfer status */
39f53b 
     switch (header->arg2) {
39f53b 
         case VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE:
39f53b 
@@ -1029,10 +1046,9 @@ static void do_agent_file_xfer_status(UdscsConnection             *conn,
39f53b 
     send_file_xfer_status(virtio_port, log_msg, header->arg1, header->arg2,
39f53b 
                           data, data_size);
39f53b
39f53b 
-    if (header->arg2 == VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA)
39f53b 
-        g_hash_table_insert(active_xfers, task_id, conn);
39f53b 
-    else
39f53b 
+    if (header->arg2 != VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) {
39f53b 
         g_hash_table_remove(active_xfers, task_id);
39f53b 
+    }
39f53b 
 }
39f53b
39f53b 
 static void agent_read_complete(UdscsConnection *conn,
39f53b 
--
39f53b 
2.26.2
39f53b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation