Add bounds checking on virConnectListAllSecrets RPC call

The return values for the virConnectListAllSecrets call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2024-07-11 04:15:49 +00:00 · 2013-08-19 14:49:57 +01:00 · 2013-08-19 14:49:57 +01:00 · 47fb5672f2
commit 47fb5672f2
parent 12034511a1
3 changed files with 17 additions and 3 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -4433,6 +4433,13 @@ remoteDispatchConnectListAllSecrets(virNetServerPtr server ATTRIBUTE_UNUSED,
                                             args->flags)) < 0)
        goto cleanup;

+    if (nsecrets > REMOTE_SECRET_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many secrets '%d' for limit '%d'"),
+                       nsecrets, REMOTE_SECRET_LIST_MAX);
+        goto cleanup;
+    }
+
    if (secrets && nsecrets) {
        if (VIR_ALLOC_N(ret->secrets.secrets_val, nsecrets) < 0)
            goto cleanup;
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@ -3107,6 +3107,13 @@ remoteConnectListAllSecrets(virConnectPtr conn,
             (char *) &ret) == -1)
        goto done;

+    if (ret.secrets.secrets_len > REMOTE_SECRET_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many secrets '%d' for limit '%d'"),
+                       ret.secrets.secrets_len, REMOTE_SECRET_LIST_MAX);
+        goto cleanup;
+    }
+
    if (secrets) {
        if (VIR_ALLOC_N(tmp_secrets, ret.secrets.secrets_len + 1) < 0)
            goto cleanup;
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@ -188,7 +188,7 @@ const REMOTE_SECRET_VALUE_MAX = 65536;
 /*
 * Upper limit on list of secrets.
 */
-const REMOTE_SECRET_UUID_LIST_MAX = 16384;
+const REMOTE_SECRET_LIST_MAX = 16384;

 /*
 * Upper limit on list of CPUs accepted when computing a baseline CPU.
@ -2002,7 +2002,7 @@ struct remote_connect_list_secrets_args {
 };

 struct remote_connect_list_secrets_ret {
-    remote_nonnull_string uuids<REMOTE_SECRET_UUID_LIST_MAX>; /* insert@1 */
+    remote_nonnull_string uuids<REMOTE_SECRET_LIST_MAX>; /* insert@1 */
 };

 struct remote_secret_lookup_by_uuid_args {
@ -2728,7 +2728,7 @@ struct remote_connect_list_all_secrets_args {
 };

 struct remote_connect_list_all_secrets_ret {
-    remote_nonnull_secret secrets<>;
+    remote_nonnull_secret secrets<REMOTE_SECRET_LIST_MAX>;
    unsigned int ret;
 };