[libvirt] [PATCH 11/12] Add bounds checking on virConnectListAllSecrets RPC call

Thursday, 29 August 2013

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt;

The return values for the virConnectListAllSecrets call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt;
---
 daemon/remote.c              | 7 +++++++
 src/remote/remote_driver.c   | 7 +++++++
 src/remote/remote_protocol.x | 6 +++---
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index e19b42d..6ace7af 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -4433,6 +4433,13 @@ remoteDispatchConnectListAllSecrets(virNetServerPtr server
ATTRIBUTE_UNUSED,
                                              args->flags)) < 0)
         goto cleanup;
 
+    if (nsecrets > REMOTE_SECRET_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many secrets '%d' for limit
'%d'"),
+                       nsecrets, REMOTE_SECRET_LIST_MAX);
+        goto cleanup;
+    }
+
     if (secrets && nsecrets) {
         if (VIR_ALLOC_N(ret->secrets.secrets_val, nsecrets) < 0)
             goto cleanup;
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index d486fa5..62e77a5 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -3107,6 +3107,13 @@ remoteConnectListAllSecrets(virConnectPtr conn,
              (char *) &ret) == -1)
         goto done;
 
+    if (ret.secrets.secrets_len > REMOTE_SECRET_LIST_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many secrets '%d' for limit
'%d'"),
+                       ret.secrets.secrets_len, REMOTE_SECRET_LIST_MAX);
+        goto cleanup;
+    }
+
     if (secrets) {
         if (VIR_ALLOC_N(tmp_secrets, ret.secrets.secrets_len + 1) < 0)
             goto cleanup;
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index b2841a7..a1c23da 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -188,7 +188,7 @@ const REMOTE_SECRET_VALUE_MAX = 65536;
 /*
  * Upper limit on list of secrets.
  */
-const REMOTE_SECRET_UUID_LIST_MAX = 16384;
+const REMOTE_SECRET_LIST_MAX = 16384;
 
 /*
  * Upper limit on list of CPUs accepted when computing a baseline CPU.
@@ -2002,7 +2002,7 @@ struct remote_connect_list_secrets_args {
 };
 
 struct remote_connect_list_secrets_ret {
-    remote_nonnull_string uuids<REMOTE_SECRET_UUID_LIST_MAX>; /* insert@1 */
+    remote_nonnull_string uuids<REMOTE_SECRET_LIST_MAX>; /* insert@1 */
 };
 
 struct remote_secret_lookup_by_uuid_args {
@@ -2728,7 +2728,7 @@ struct remote_connect_list_all_secrets_args {
 };
 
 struct remote_connect_list_all_secrets_ret {
-    remote_nonnull_secret secrets<>;
+    remote_nonnull_secret secrets<REMOTE_SECRET_LIST_MAX>;
     unsigned int ret;
 };
 
-- 
1.8.3.1


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 11/12] Add bounds checking on virConnectListAllSecrets RPC call