|
 |
39f53b |
From b173eba1698138f92b08d4deeaac4d2979a67bbf Mon Sep 17 00:00:00 2001
|
|
|
39f53b |
From: Frediano Ziglio <freddy77@gmail.com>
|
|
|
39f53b |
Date: Fri, 2 Oct 2020 12:27:59 +0100
|
|
|
39f53b |
Subject: [PATCH vd_agent_linux 11/17] Avoids uncontrolled "active_xfers"
|
|
|
39f53b |
allocations
|
|
|
39f53b |
|
|
|
39f53b |
Limit the number of active file transfers possibly causing DoSes
|
|
|
39f53b |
consuming memory in "active_xfers".
|
|
|
39f53b |
|
|
|
39f53b |
This issue was reported by SUSE security team.
|
|
|
39f53b |
|
|
|
39f53b |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
39f53b |
Acked-by: Uri Lublin <uril@redhat.com>
|
|
|
39f53b |
---
|
|
|
39f53b |
src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++
|
|
|
39f53b |
1 file changed, 23 insertions(+)
|
|
|
39f53b |
|
|
|
39f53b |
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
|
|
|
39f53b |
index 8961a99..b31941d 100644
|
|
|
39f53b |
--- a/src/vdagentd/vdagentd.c
|
|
|
39f53b |
+++ b/src/vdagentd/vdagentd.c
|
|
|
39f53b |
@@ -47,6 +47,14 @@
|
|
|
39f53b |
|
|
|
39f53b |
#define DEFAULT_UINPUT_DEVICE "/dev/uinput"
|
|
|
39f53b |
|
|
|
39f53b |
+// Maximum number of transfers active at any time.
|
|
|
39f53b |
+// Avoid DoS from client.
|
|
|
39f53b |
+// As each transfer could likely end up taking a file descriptor
|
|
|
39f53b |
+// it is good to have a limit less than the number of file descriptors
|
|
|
39f53b |
+// in the process (by default 1024). The daemon do not open file
|
|
|
39f53b |
+// descriptors for the transfers but the agents do.
|
|
|
39f53b |
+#define MAX_ACTIVE_TRANSFERS 128
|
|
|
39f53b |
+
|
|
|
39f53b |
struct agent_data {
|
|
|
39f53b |
char *session;
|
|
|
39f53b |
int width;
|
|
|
39f53b |
@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport,
|
|
|
39f53b |
"Cancelling client file-xfer request %u",
|
|
|
39f53b |
s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
|
|
|
39f53b |
return;
|
|
|
39f53b |
+ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
|
|
|
39f53b |
+ VDAgentFileXferStatusError error = {
|
|
|
39f53b |
+ GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO),
|
|
|
39f53b |
+ GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES),
|
|
|
39f53b |
+ };
|
|
|
39f53b |
+ size_t detail_size = sizeof(error);
|
|
|
39f53b |
+ if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size,
|
|
|
39f53b |
+ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) {
|
|
|
39f53b |
+ detail_size = 0;
|
|
|
39f53b |
+ }
|
|
|
39f53b |
+ send_file_xfer_status(vport,
|
|
|
39f53b |
+ "Too many transfers ongoing. "
|
|
|
39f53b |
+ "Cancelling client file-xfer request %u",
|
|
|
39f53b |
+ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size);
|
|
|
39f53b |
+ return;
|
|
|
39f53b |
}
|
|
|
39f53b |
msg_type = VDAGENTD_FILE_XFER_START;
|
|
|
39f53b |
id = s->id;
|
|
|
39f53b |
--
|
|
|
39f53b |
2.26.2
|
|
|
39f53b |
|