diff options
author | Frediano Ziglio <freddy77@gmail.com> | 2020-09-20 08:05:37 +0100 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2020-10-29 14:59:18 +0000 |
commit | 91caa9223857708475d29df1768208fed1675340 (patch) | |
tree | 08789bf89d5b448980cd7d7693a0410370f24d57 | |
parent | 9d35d8a86fb310fc1f29d428c0a96995948d2357 (diff) |
Avoids unlimited agent connections
Limit the number of agents that can be connected.
Avoids reaching the maximum number of files in a process.
Beside one file descriptor per agent the daemon open just some
other fixed number of files.
This issue was reported by SUSE security team.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-rw-r--r-- | src/udscs.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/udscs.c b/src/udscs.c index 7c99eed..3df67b3 100644 --- a/src/udscs.c +++ b/src/udscs.c @@ -30,6 +30,12 @@ #include "vdagentd-proto-strings.h" #include "vdagent-connection.h" +// Maximum number of connected agents. +// Avoid DoS from agents. +// As each connection end up taking a file descriptor is good to have a limit +// less than the number of file descriptors in the process (by default 1024). +#define MAX_CONNECTED_AGENTS 128 + struct _UdscsConnection { VDAgentConnection parent_instance; int debug; @@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService *service, struct udscs_server *server = user_data; UdscsConnection *new_conn; + /* prevents DoS having too many agents attached */ + if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) { + syslog(LOG_ERR, "Too many agents connected"); + return TRUE; + } + new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL); new_conn->debug = server->debug; new_conn->read_callback = server->read_callback; |