Avoids unlimited agent connections

Limit the number of agents that can be connected.
Avoids reaching the maximum number of files in a process.
Beside one file descriptor per agent the daemon open just some
other fixed number of files.

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>

1 files changed, 12 insertions, 0 deletions

diff --git a/src/udscs.c b/src/udscs.c
index 7c99eed..3df67b3 100644
--- a/src/udscs.c
+++ b/src/udscs.c
@@ -30,6 +30,12 @@
 #include "vdagentd-proto-strings.h"
 #include "vdagent-connection.h"
 
+// Maximum number of connected agents.
+// Avoid DoS from agents.
+// As each connection end up taking a file descriptor is good to have a limit
+// less than the number of file descriptors in the process (by default 1024).
+#define MAX_CONNECTED_AGENTS 128
+
 struct _UdscsConnection {
     VDAgentConnection parent_instance;
     int debug;
@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService    *service,
     struct udscs_server *server = user_data;
     UdscsConnection *new_conn;
 
+    /* prevents DoS having too many agents attached */
+    if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) {
+        syslog(LOG_ERR, "Too many agents connected");
+        return TRUE;
+    }
+
     new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL);
     new_conn->debug = server->debug;
     new_conn->read_callback = server->read_callback;