Add bounds checking on virConnectListAllDomains RPC call

The return values for the virConnectListAllDomains call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

daemon/remote.c

@@ -1050,6 +1050,13 @@ remoteDispatchConnectListAllDomains(virNetServerPtr server ATTRIBUTE_UNUSED,
                                              args->flags)) < 0)
         goto cleanup;
 
+    if (ndomains > REMOTE_DOMAIN_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many domains '%d' for limit '%d'"),
+                       ndomains, REMOTE_DOMAIN_LIST_MAX);
+        goto cleanup;
+    }
+
     if (doms && ndomains) {
         if (VIR_ALLOC_N(ret->domains.domains_val, ndomains) < 0)
             goto cleanup;

src/remote/remote_driver.c

@@ -1370,10 +1370,10 @@ remoteConnectListDomains(virConnectPtr conn, int *ids, int maxids)
 
     remoteDriverLock(priv);
 
-    if (maxids > REMOTE_DOMAIN_ID_LIST_MAX) {
+    if (maxids > REMOTE_DOMAIN_LIST_MAX) {
         virReportError(VIR_ERR_RPC,
-                       _("too many remote domain IDs: %d > %d"),
-                       maxids, REMOTE_DOMAIN_ID_LIST_MAX);
+                       _("Too many domains '%d' for limit '%d'"),
+                       maxids, REMOTE_DOMAIN_LIST_MAX);
         goto done;
     }
     args.maxids = maxids;
@@ -1386,7 +1386,7 @@ remoteConnectListDomains(virConnectPtr conn, int *ids, int maxids)
 
     if (ret.ids.ids_len > maxids) {
         virReportError(VIR_ERR_RPC,
-                       _("too many remote domain IDs: %d > %d"),
+                       _("Too many domains '%d' for limit '%d'"),
                        ret.ids.ids_len, maxids);
         goto cleanup;
     }
@@ -1433,6 +1433,13 @@ remoteConnectListAllDomains(virConnectPtr conn,
              (char *) &ret) == -1)
         goto done;
 
+    if (ret.domains.domains_len > REMOTE_DOMAIN_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many domains '%d' for limit '%d'"),
+                       ret.domains.domains_len, REMOTE_DOMAIN_LIST_MAX);
+        goto cleanup;
+    }
+
     if (domains) {
         if (VIR_ALLOC_N(doms, ret.domains.domains_len + 1) < 0)
             goto cleanup;

src/remote/remote_protocol.x

@@ -73,13 +73,8 @@ typedef string remote_nonnull_string<REMOTE_STRING_MAX>;
 /* A long string, which may be NULL. */
 typedef remote_nonnull_string *remote_string;
 
-/* This just places an upper limit on the length of lists of
- * domain IDs which may be sent via the protocol.
- */
-const REMOTE_DOMAIN_ID_LIST_MAX = 16384;
-
-/* Upper limit on lists of domain names. */
-const REMOTE_DOMAIN_NAME_LIST_MAX = 16384;
+/* Upper limit on lists of domains. */
+const REMOTE_DOMAIN_LIST_MAX = 16384;
 
 /* Upper limit on cpumap (bytes) passed to virDomainPinVcpu. */
 const REMOTE_CPUMAP_MAX = 2048;
@@ -724,7 +719,7 @@ struct remote_connect_list_domains_args {
 };
 
 struct remote_connect_list_domains_ret {
-    int ids<REMOTE_DOMAIN_ID_LIST_MAX>; /* insert@1 */
+    int ids<REMOTE_DOMAIN_LIST_MAX>; /* insert@1 */
 };
 
 struct remote_connect_num_of_domains_ret {
@@ -990,7 +985,7 @@ struct remote_connect_list_defined_domains_args {
 };
 
 struct remote_connect_list_defined_domains_ret {
-    remote_nonnull_string names<REMOTE_DOMAIN_NAME_LIST_MAX>; /* insert@1 */
+    remote_nonnull_string names<REMOTE_DOMAIN_LIST_MAX>; /* insert@1 */
 };
 
 struct remote_connect_num_of_defined_domains_ret {
@@ -2665,7 +2660,7 @@ struct remote_connect_list_all_domains_args {
 };
 
 struct remote_connect_list_all_domains_ret {
-    remote_nonnull_domain domains<>;
+    remote_nonnull_domain domains<REMOTE_DOMAIN_LIST_MAX>;
     unsigned int ret;
 };