From: Frediano Ziglio <freddy77@xxxxxxxxx>
Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".
This issue was reported by SUSE security team.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
Acked-by: Uri Lublin <uril@xxxxxxxxxx>
---
src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
index f15989d..8462889 100644
--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -47,6 +47,14 @@
#define DEFAULT_UINPUT_DEVICE "/dev/uinput"
+// Maximum number of transfers active at any time.
+// Avoid DoS from client.
+// As each transfer could likely end up taking a file descriptor
+// it is good to have a limit less than the number of file descriptors
+// in the process (by default 1024). The daemon do not open file
+// descriptors for the transfers but the agents do.
+#define MAX_ACTIVE_TRANSFERS 128
+
struct agent_data {
char *session;
int width;
@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport,
"Cancelling client file-xfer request %u",
s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
return;
+ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
+ VDAgentFileXferStatusError error = {
+ GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO),
+ GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES),
+ };
+ size_t detail_size = sizeof(error);
+ if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size,
+ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) {
+ detail_size = 0;
+ }
+ send_file_xfer_status(vport,
+ "Too many transfers ongoing. "
+ "Cancelling client file-xfer request %u",
+ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size);
+ return;
}
msg_type = VDAGENTD_FILE_XFER_START;
id = s->id;
--
2.26.2
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel