[PATCH 02/12] Add bounds checking on virDomainGetJobStats RPC call

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Thu, 29 Aug 2013 11:49:44 +0100

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 daemon/remote.c              | 7 +++++++
 src/remote/remote_driver.c   | 8 ++++++++
 src/remote/remote_protocol.x | 5 ++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index a11ba94..ad78011 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED,
                              &nparams, args->flags) < 0)
         goto cleanup;
 
+    if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       nparams, REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     if (remoteSerializeTypedParameters(params, nparams,
                                        &ret->params.params_val,
                                        &ret->params.params_len,
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 30f8f90..33b2b0f 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain,
              (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1)
         goto done;
 
+    if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       ret.params.params_len,
+                       REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     *type = ret.type;
 
     if (remoteDeserializeTypedParameters(ret.params.params_val,
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 4262c34..eff7e1c 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
 /* Upper limit on migrate parameters */
 const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
 
+/* Upper limit on number of job stats */
+const REMOTE_DOMAIN_JOB_STATS_MAX = 16;
+
 /* UUID.  VIR_UUID_BUFLEN definition comes from libvirt.h */
 typedef opaque remote_uuid[VIR_UUID_BUFLEN];
 
@@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args {
 
 struct remote_domain_get_job_stats_ret {
     int type;
-    remote_typed_param params<>;
+    remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>;
 };
 
 
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







