|
 |
93d60d |
From 6e5b9924b172be4f33c7fc264a8ff1d6109b79fe Mon Sep 17 00:00:00 2001
|
|
|
93d60d |
From: Frediano Ziglio <freddy77@gmail.com>
|
|
|
93d60d |
Date: Sun, 20 Sep 2020 08:05:37 +0100
|
|
|
93d60d |
Subject: [PATCH vd_agent_linux 12/17] Avoids unlimited agent connections
|
|
|
93d60d |
|
|
|
93d60d |
Limit the number of agents that can be connected.
|
|
|
93d60d |
Avoids reaching the maximum number of files in a process.
|
|
|
93d60d |
Beside one file descriptor per agent the daemon open just some
|
|
|
93d60d |
other fixed number of files.
|
|
|
93d60d |
|
|
|
93d60d |
This issue was reported by SUSE security team.
|
|
|
93d60d |
|
|
|
93d60d |
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
|
93d60d |
---
|
|
|
93d60d |
src/udscs.c | 12 ++++++++++++
|
|
|
93d60d |
1 file changed, 12 insertions(+)
|
|
|
93d60d |
|
|
|
93d60d |
diff --git a/src/udscs.c b/src/udscs.c
|
|
|
93d60d |
index 7c99eed..3df67b3 100644
|
|
|
93d60d |
--- a/src/udscs.c
|
|
|
93d60d |
+++ b/src/udscs.c
|
|
|
93d60d |
@@ -30,6 +30,12 @@
|
|
|
93d60d |
#include "vdagentd-proto-strings.h"
|
|
|
93d60d |
#include "vdagent-connection.h"
|
|
|
93d60d |
|
|
|
93d60d |
+// Maximum number of connected agents.
|
|
|
93d60d |
+// Avoid DoS from agents.
|
|
|
93d60d |
+// As each connection end up taking a file descriptor is good to have a limit
|
|
|
93d60d |
+// less than the number of file descriptors in the process (by default 1024).
|
|
|
93d60d |
+#define MAX_CONNECTED_AGENTS 128
|
|
|
93d60d |
+
|
|
|
93d60d |
struct _UdscsConnection {
|
|
|
93d60d |
VDAgentConnection parent_instance;
|
|
|
93d60d |
int debug;
|
|
|
93d60d |
@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService *service,
|
|
|
93d60d |
struct udscs_server *server = user_data;
|
|
|
93d60d |
UdscsConnection *new_conn;
|
|
|
93d60d |
|
|
|
93d60d |
+ /* prevents DoS having too many agents attached */
|
|
|
93d60d |
+ if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) {
|
|
|
93d60d |
+ syslog(LOG_ERR, "Too many agents connected");
|
|
|
93d60d |
+ return TRUE;
|
|
|
93d60d |
+ }
|
|
|
93d60d |
+
|
|
|
93d60d |
new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL);
|
|
|
93d60d |
new_conn->debug = server->debug;
|
|
|
93d60d |
new_conn->read_callback = server->read_callback;
|
|
|
93d60d |
--
|
|
|
93d60d |
2.26.2
|
|
|
93d60d |
|