On Sun, Aug 18, 2013 at 03:33:16PM +0800, Osier Yang wrote:
On 15/08/13 17:36, Daniel P. Berrange wrote:
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 7cfebdf..06929e7 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -2837,6 +2837,27 @@ struct remote_domain_event_device_removed_msg { remote_nonnull_string devAlias; }; +struct remote_domain_ip_addr { + int type; + remote_nonnull_string addr; + int prefix; +}; + +struct remote_domain_interface { + remote_nonnull_string name; + remote_string hwaddr; + remote_domain_ip_addr ip_addrs<>; Use of <> *NOT* allowed - this is a security flaw allowing the client to trigger DOS on libvirtd allocating memory. Follow the examples of other APis which set an explicit limit.
In that case, we have bug on APIs like listAllDomains too, as they use variable-length array too.
Sigh. In future please don't report security problems like that on this mailing list. We have a dedicated security list for responsible disclosure of issues in libvirt released code. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|