[libvirt] [PATCH] Fix oversized stack allocation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



# HG changeset patch
# User John Levon <john.levon@xxxxxxx>
# Date 1231946129 28800
# Node ID c7538cb7fab4e6f3aa6714fdd4126dcf2f0371b4
# Parent  cfe04caba5de61620fa6d1c2bff85cfd62255c1d
Fix oversized stack allocation

REMOTE_MESSAGE_MAX is a whopping 262Kb and shouldn't be allocated on the
stack.

Signed-off-by: Ryan Scott <ryan.scott@xxxxxxx>

diff --git a/src/remote_internal.c b/src/remote_internal.c
--- a/src/remote_internal.c
+++ b/src/remote_internal.c
@@ -4797,10 +4797,11 @@ call (virConnectPtr conn, struct private
       xdrproc_t args_filter, char *args,
       xdrproc_t ret_filter, char *ret)
 {
-    char buffer[REMOTE_MESSAGE_MAX];
+    char *buffer = NULL;
     char buffer2[4];
     struct remote_message_header hdr;
     XDR xdr;
+    int err = -1;
     int len;
     struct remote_error rerror;
 
@@ -4814,18 +4815,23 @@ call (virConnectPtr conn, struct private
     hdr.serial = serial;
     hdr.status = REMOTE_OK;
 
+    if ((buffer = malloc(REMOTE_MESSAGE_MAX)) == NULL) {
+        error (conn, VIR_ERR_SYSTEM_ERROR, strerror (errno));
+        goto out;
+    }
+
     /* Serialise header followed by args. */
-    xdrmem_create (&xdr, buffer, sizeof buffer, XDR_ENCODE);
+    xdrmem_create (&xdr, buffer, REMOTE_MESSAGE_MAX, XDR_ENCODE);
     if (!xdr_remote_message_header (&xdr, &hdr)) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
                VIR_ERR_RPC, _("xdr_remote_message_header failed"));
-        return -1;
+        goto out;
     }
 
     if (!(*args_filter) (&xdr, args)) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC,
                _("marshalling args"));
-        return -1;
+        goto out;
     }
 
     /* Get the length stored in buffer. */
@@ -4842,25 +4848,25 @@ call (virConnectPtr conn, struct private
     if (!xdr_int (&xdr, &len)) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC,
                _("xdr_int (length word)"));
-        return -1;
+        goto out;
     }
     xdr_destroy (&xdr);
 
     /* Send length word followed by header+args. */
     if (really_write (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer2, sizeof buffer2) == -1 ||
         really_write (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer, len-4) == -1)
-        return -1;
+        goto out;
 
 retry_read:
     /* Read and deserialise length word. */
     if (really_read (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer2, sizeof buffer2) == -1)
-        return -1;
+        goto out;
 
     xdrmem_create (&xdr, buffer2, sizeof buffer2, XDR_DECODE);
     if (!xdr_int (&xdr, &len)) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
                VIR_ERR_RPC, _("xdr_int (length word, reply)"));
-        return -1;
+        goto out;
     }
     xdr_destroy (&xdr);
 
@@ -4870,20 +4876,25 @@ retry_read:
     if (len < 0 || len > REMOTE_MESSAGE_MAX) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
                VIR_ERR_RPC, _("packet received from server too large"));
-        return -1;
     }
 
     /* Read reply header and what follows (either a ret or an error). */
     if (really_read (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer, len) == -1)
-        return -1;
+        goto out;
 
     /* Deserialise reply header. */
     xdrmem_create (&xdr, buffer, len, XDR_DECODE);
     if (!xdr_remote_message_header (&xdr, &hdr)) {
         error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
                VIR_ERR_RPC, _("invalid header in reply"));
-        return -1;
-    }
+        goto out;
+    }
+
+    /*
+     * Although the previous lines were the last references to buffer in this
+     * function, we can't free it yet, as the xdr struct still has some
+     * pointers to it.
+     */
 
     /* Check program, version, etc. are what we expect. */
     if (hdr.prog != REMOTE_PROGRAM) {
@@ -4892,7 +4903,7 @@ retry_read:
                          VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
                          _("unknown program (received %x, expected %x)"),
                          hdr.prog, REMOTE_PROGRAM);
-        return -1;
+        goto out;
     }
     if (hdr.vers != REMOTE_PROTOCOL_VERSION) {
         virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
@@ -4900,7 +4911,7 @@ retry_read:
                          VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
                          _("unknown protocol version (received %x, expected %x)"),
                          hdr.vers, REMOTE_PROTOCOL_VERSION);
-        return -1;
+        goto out;
     }
 
     if (hdr.proc == REMOTE_PROC_DOMAIN_EVENT &&
@@ -4923,7 +4934,7 @@ retry_read:
                          VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
                          _("unknown procedure (received %x, expected %x)"),
                          hdr.proc, proc_nr);
-        return -1;
+        goto out;
     }
     if (hdr.direction != REMOTE_REPLY) {
         virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
@@ -4931,14 +4942,14 @@ retry_read:
                          VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
                          _("unknown direction (received %x, expected %x)"),
                          hdr.direction, REMOTE_REPLY);
-        return -1;
+        goto out;
     }
     if (hdr.serial != serial) {
         virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
                          VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
                          _("unknown serial (received %x, expected %x)"),
                          hdr.serial, serial);
-        return -1;
+        goto out;
     }
 
     /* Status is either REMOTE_OK (meaning that what follows is a ret
@@ -4950,17 +4961,18 @@ retry_read:
         if (!(*ret_filter) (&xdr, ret)) {
             error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC,
                    _("unmarshalling ret"));
-            return -1;
+            goto out;
         }
         xdr_destroy (&xdr);
-        return 0;
+        err = 0;
+        goto out;
 
     case REMOTE_ERROR:
         memset (&rerror, 0, sizeof rerror);
         if (!xdr_remote_error (&xdr, &rerror)) {
             error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn,
                    VIR_ERR_RPC, _("unmarshalling remote_error"));
-            return -1;
+            goto out;
         }
         xdr_destroy (&xdr);
         /* See if caller asked us to keep quiet about missing RPCs
@@ -4970,11 +4982,12 @@ retry_read:
             rerror.code == VIR_ERR_RPC &&
             rerror.level == VIR_ERR_ERROR &&
             STRPREFIX(*rerror.message, "unknown procedure")) {
-            return -2;
+            err = -2;
+            goto out;
         }
         server_error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, &rerror);
         xdr_free ((xdrproc_t) xdr_remote_error, (char *) &rerror);
-        return -1;
+        goto out;
 
     default:
         virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
@@ -4982,8 +4995,12 @@ retry_read:
                          _("unknown status (received %x)"),
                          hdr.status);
         xdr_destroy (&xdr);
-        return -1;
-    }
+        goto out;
+    }
+
+out:
+    VIR_FREE (buffer);
+    return err;
 }
 
 static int
@@ -5551,7 +5568,7 @@ remoteDomainEventFired(int watch,
                        int event,
                        void *opaque)
 {
-    char buffer[REMOTE_MESSAGE_MAX];
+    char *buffer = NULL;
     char buffer2[4];
     struct remote_message_header hdr;
     XDR xdr;
@@ -5566,22 +5583,22 @@ remoteDomainEventFired(int watch,
          DEBUG("%s : VIR_EVENT_HANDLE_HANGUP or "
                "VIR_EVENT_HANDLE_ERROR encountered", __FUNCTION__);
          virEventRemoveHandle(watch);
-         return;
+         goto out;
     }
 
     if (fd != priv->sock) {
         virEventRemoveHandle(watch);
-        return;
+        goto out;
     }
 
     /* Read and deserialise length word. */
     if (really_read (conn, priv, 0, buffer2, sizeof buffer2) == -1)
-        return;
+        goto out;
 
     xdrmem_create (&xdr, buffer2, sizeof buffer2, XDR_DECODE);
     if (!xdr_int (&xdr, &len)) {
         error (conn, VIR_ERR_RPC, _("xdr_int (length word, reply)"));
-        return;
+        goto out;
     }
     xdr_destroy (&xdr);
 
@@ -5590,20 +5607,25 @@ remoteDomainEventFired(int watch,
 
     if (len < 0 || len > REMOTE_MESSAGE_MAX) {
         error (conn, VIR_ERR_RPC, _("packet received from server too large"));
-        return;
+        goto out;
+    }
+
+    if ((buffer = malloc(REMOTE_MESSAGE_MAX)) == NULL) {
+        error (conn, VIR_ERR_SYSTEM_ERROR, strerror (errno));
+        goto out;
     }
 
     /* Read reply header and what follows (either a ret or an error). */
     if (really_read (conn, priv, 0, buffer, len) == -1) {
         error (conn, VIR_ERR_RPC, _("error reading buffer from memory"));
-        return;
+        goto out;
     }
 
     /* Deserialise reply header. */
     xdrmem_create (&xdr, buffer, len, XDR_DECODE);
     if (!xdr_remote_message_header (&xdr, &hdr)) {
         error (conn, VIR_ERR_RPC, _("invalid header in event firing"));
-        return;
+        goto out;
     }
 
     if (hdr.proc == REMOTE_PROC_DOMAIN_EVENT &&
@@ -5614,6 +5636,9 @@ remoteDomainEventFired(int watch,
         DEBUG0("invalid proc in event firing");
         error (conn, VIR_ERR_RPC, _("invalid proc in event firing"));
     }
+
+out:
+    VIR_FREE (buffer);
 }
 
 void

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]