From 6e5b9924b172be4f33c7fc264a8ff1d6109b79fe Mon Sep 17 00:00:00 2001

From: Frediano Ziglio <freddy77@gmail.com>

Date: Sun, 20 Sep 2020 08:05:37 +0100

Subject: [PATCH vd_agent_linux 12/17] Avoids unlimited agent connections

Limit the number of agents that can be connected.

Avoids reaching the maximum number of files in a process.

Beside one file descriptor per agent the daemon open just some

other fixed number of files.

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>

---

 src/udscs.c | 12 ++++++++++++

 1 file changed, 12 insertions(+)

diff --git a/src/udscs.c b/src/udscs.c

index 7c99eed..3df67b3 100644

--- a/src/udscs.c

+++ b/src/udscs.c

@@ -30,6 +30,12 @@

 #include "vdagentd-proto-strings.h"

 #include "vdagent-connection.h"

+// Maximum number of connected agents.

+// Avoid DoS from agents.

+// As each connection end up taking a file descriptor is good to have a limit

+// less than the number of file descriptors in the process (by default 1024).

+#define MAX_CONNECTED_AGENTS 128

+

 struct _UdscsConnection {

     VDAgentConnection parent_instance;

     int debug;

@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService    *service,

     struct udscs_server *server = user_data;

     UdscsConnection *new_conn;

+    /* prevents DoS having too many agents attached */

+    if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) {

+        syslog(LOG_ERR, "Too many agents connected");

+        return TRUE;

+    }

+

     new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL);

     new_conn->debug = server->debug;

     new_conn->read_callback = server->read_callback;

-- 

2.26.2