On Thu, Aug 15, 2013 at 02:24:27AM +0530, nehaljwani wrote:
> Implement RPC calls for virDomainInterfacesAddresses
>
> daemon/remote.c
> * Define remoteSerializeDomainInterfacePtr, remoteDispatchDomainInterfacesAddresses
>
> src/remote/remote_driver.c
> * Define remoteDomainInterfacesAddresses
>
> src/remote/remote_protocol.x
> * New RPC procedure: REMOTE_PROC_DOMAIN_INTERFACES_ADDRESSES
> * Define structs remote_domain_ip_addr, remote_domain_interface,
> remote_domain_interfaces_addresses_args, remote_domain_interfaces_addresses_ret
>
> src/remote_protocol-structs
> * New structs added
>
> ---
> daemon/remote.c | 122 +++++++++++++++++++++++++++++++++++++++++++
> src/remote/remote_driver.c | 88 +++++++++++++++++++++++++++++++
> src/remote/remote_protocol.x | 30 ++++++++++-
> src/remote_protocol-structs | 24 +++++++++
> 4 files changed, 263 insertions(+), 1 deletion(-)
>
> diff --git a/daemon/remote.c b/daemon/remote.c
> index 03d5557..9d8651c 100644
> --- a/daemon/remote.c
> +++ b/daemon/remote.c
> @@ -5025,7 +5025,129 @@ cleanup:
> return rv;
> }
>
> +static int
> +remoteSerializeDomainInterfacePtr(virDomainInterfacePtr ifaces,
> + unsigned int ifaces_count,
> + remote_domain_interfaces_addresses_ret *ret)
> +{
> + size_t i, j;
> +
> + if (VIR_ALLOC_N(ret->ifaces.ifaces_val, ifaces_count) < 0)
> + return -1;
You *must* check upper bound of ifaces_count before allocating memory - this
value is untrusted data.
> +
> + ret->ifaces.ifaces_len = ifaces_count;
> +
> + for (i = 0; i < ifaces_count; i++) {
> + virDomainInterfacePtr iface = &(ifaces[i]);
> + remote_domain_interface *iface_ret = &(ret->ifaces.ifaces_val[i]);
> +
> + if ((VIR_STRDUP(iface_ret->name, iface->name)) < 0)
> + goto no_memory;
> +
> + if (iface->hwaddr) {
> + char **hwaddr_p = NULL;
> + if (VIR_ALLOC(hwaddr_p) < 0)
> + goto no_memory;
> + if (VIR_STRDUP(*hwaddr_p, iface->hwaddr) < 0) {
> + VIR_FREE(hwaddr_p);
> + goto no_memory;
> + }
> +
> + iface_ret->hwaddr = hwaddr_p;
> + }
> +
> + if (VIR_ALLOC_N(iface_ret->ip_addrs.ip_addrs_val,
> + iface->ip_addrs_count) < 0)
> + goto no_memory;
Again ip_addrs_count is untrusted data so must have an upper
bound checked.
> +
> + iface_ret->ip_addrs.ip_addrs_len = iface->ip_addrs_count;
> +
> + for (j = 0; j < iface->ip_addrs_count; j++) {
> + virDomainIPAddressPtr ip_addr = &(iface->ip_addrs[j]);
> + remote_domain_ip_addr *ip_addr_ret =
> + &(iface_ret->ip_addrs.ip_addrs_val[j]);
> +
> + if (VIR_STRDUP(ip_addr_ret->addr, ip_addr->addr) < 0)
> + goto no_memory;
> +
> + ip_addr_ret->prefix = ip_addr->prefix;
> + ip_addr_ret->type = ip_addr->type;
> + }
> + }
> +
> + return 0;
> +
> +no_memory:
> + if (ret->ifaces.ifaces_val) {
> + for (i = 0; i < ifaces_count; i++) {
> + remote_domain_interface *iface_ret = &(ret->ifaces.ifaces_val[i]);
> + VIR_FREE(iface_ret->name);
> + VIR_FREE(iface_ret->hwaddr);
> + for (j = 0; j < iface_ret->ip_addrs.ip_addrs_len; j++) {
> + remote_domain_ip_addr *ip_addr =
> + &(iface_ret->ip_addrs.ip_addrs_val[j]);
> + VIR_FREE(ip_addr->addr);
> + }
> + VIR_FREE(iface_ret);
> + }
> + VIR_FREE(ret->ifaces.ifaces_val);
> + }
>
> + return -1;
> +}
> +
> +static int
> +remoteDispatchDomainInterfacesAddresses(
> + virNetServerPtr server ATTRIBUTE_UNUSED,
> + virNetServerClientPtr client,
> + virNetMessagePtr msg ATTRIBUTE_UNUSED,
> + virNetMessageErrorPtr rerr,
> + remote_domain_interfaces_addresses_args *args,
> + remote_domain_interfaces_addresses_ret *ret)
> +{
> + int rv = -1;
> + virDomainPtr dom = NULL;
> + virDomainInterfacePtr ifaces = NULL;
> + unsigned int ifaces_count = 0;
> + struct daemonClientPrivate *priv =
> + virNetServerClientGetPrivateData(client);
> +
> + if (!priv->conn) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not open"));
> + goto cleanup;
> + }
> +
> + if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
> + goto cleanup;
> +
> + if (virDomainInterfacesAddresses(dom, &ifaces,
> + &ifaces_count, args->flags) < 0)
> + goto cleanup;
> +
> + if (remoteSerializeDomainInterfacePtr(ifaces, ifaces_count, ret) < 0)
> + goto cleanup;
> +
> + rv = 0;
> +
> +cleanup:
> + if (rv < 0)
> + virNetMessageSaveError(rerr);
> + if (dom)
> + virDomainFree(dom);
> + if (ifaces) {
> + size_t i, j;
> +
> + for (i = 0; i < ifaces_count; i++) {
> + VIR_FREE(ifaces[i].name);
> + VIR_FREE(ifaces[i].hwaddr);
> + for (j = 0; j < ifaces[i].ip_addrs_count; j++)
> + VIR_FREE(ifaces[i].ip_addrs[j].addr);
> + VIR_FREE(ifaces[i].ip_addrs);
> + }
> + VIR_FREE(ifaces);
> + }
> + return rv;
> +}
>
> /*----- Helpers. -----*/
>
> +cleanup:
> + if (rv < 0) {
> + for (i = 0; i < *ifaces_count; i++) {
> + VIR_FREE((*ifaces)[i].name);
> + VIR_FREE((*ifaces)[i].hwaddr);
> + for (j = 0; j < (*ifaces)[i].ip_addrs_count; j++)
> + VIR_FREE((*ifaces)[i].ip_addrs[j].addr);
> + VIR_FREE((*ifaces)[i].ip_addrs);
> + }
> + VIR_FREE(*ifaces);
This horrible code is repeated soo many times - just reinforces my
point on the previous patch about providing a function to hide this.
> + }
> + xdr_free((xdrproc_t)xdr_remote_domain_interfaces_addresses_ret,
> + (char *) &ret);
> +done:
> + remoteDriverUnlock(priv);
> + return rv;
> +}
> +
> static void
> remoteDomainEventQueue(struct private_data *priv, virDomainEventPtr event)
> {
> @@ -6811,6 +6898,7 @@ static virDriver remote_driver = {
> .domainMigratePerform3Params = remoteDomainMigratePerform3Params, /* 1.1.0 */
> .domainMigrateFinish3Params = remoteDomainMigrateFinish3Params, /* 1.1.0 */
> .domainMigrateConfirm3Params = remoteDomainMigrateConfirm3Params, /* 1.1.0 */
> + .domainInterfacesAddresses = remoteDomainInterfacesAddresses, /* 1.1.2 */
> };
>
> static virNetworkDriver network_driver = {
> diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
> index 7cfebdf..06929e7 100644
> --- a/src/remote/remote_protocol.x
> +++ b/src/remote/remote_protocol.x
> @@ -2837,6 +2837,27 @@ struct remote_domain_event_device_removed_msg {
> remote_nonnull_string devAlias;
> };
>
> +struct remote_domain_ip_addr {
> + int type;
> + remote_nonnull_string addr;
> + int prefix;
> +};
> +
> +struct remote_domain_interface {
> + remote_nonnull_string name;
> + remote_string hwaddr;
> + remote_domain_ip_addr ip_addrs<>;
Use of <> *NOT* allowed - this is a security flaw allowing the client
to trigger DOS on libvirtd allocating memory. Follow the examples of
other APis which set an explicit limit.
> +};
> +
> +struct remote_domain_interfaces_addresses_args {
> + remote_nonnull_domain dom;
> + unsigned int flags;
> +};
> +
> +struct remote_domain_interfaces_addresses_ret {
> + remote_domain_interface ifaces<>;
Again, this is flawed.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list