External/libvirt
1
0
Fork 0
Code

Add bounds checking on virDomainGetJobStats RPC call

Browse Source 
The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2013-08-19 12:42:31 +01:00
parent fd6f6a4861
commit 6d7d0b1869
3 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
daemon/remote.c
View File

@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED,
&nparams, args->flags) < 0) &nparams, args->flags) < 0)
goto cleanup; goto cleanup;
if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many job stats '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_JOB_STATS_MAX);
goto cleanup;
}
if (remoteSerializeTypedParameters(params, nparams, if (remoteSerializeTypedParameters(params, nparams,
&ret->params.params_val, &ret->params.params_val,
&ret->params.params_len, &ret->params.params_len,

8
src/remote/remote_driver.c
View File

@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain,
(xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1) (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1)
goto done; goto done;
if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many job stats '%d' for limit '%d'"),
ret.params.params_len,
REMOTE_DOMAIN_JOB_STATS_MAX);
goto cleanup;
}
*type = ret.type; *type = ret.type;
if (remoteDeserializeTypedParameters(ret.params.params_val, if (remoteDeserializeTypedParameters(ret.params.params_val,

5
src/remote/remote_protocol.x
View File

@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
/* Upper limit on migrate parameters */ /* Upper limit on migrate parameters */
const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64; const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
/* Upper limit on number of job stats */
const REMOTE_DOMAIN_JOB_STATS_MAX = 16;
/* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */
typedef opaque remote_uuid[VIR_UUID_BUFLEN]; typedef opaque remote_uuid[VIR_UUID_BUFLEN];
@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args {
struct remote_domain_get_job_stats_ret { struct remote_domain_get_job_stats_ret {
int type; int type;
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>;
}; };