diff options
author | Frediano Ziglio <freddy77@gmail.com> | 2020-10-02 12:27:59 +0100 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2020-10-29 14:59:18 +0000 |
commit | 9d35d8a86fb310fc1f29d428c0a96995948d2357 (patch) | |
tree | 35d25b67cf20f02c013bc9b7f58366431929cd5b | |
parent | 1a8b93ca6ac0b690339ab7f0afc6fc45d198d332 (diff) |
Avoids uncontrolled "active_xfers" allocations
Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".
This issue was reported by SUSE security team.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
-rw-r--r-- | src/vdagentd/vdagentd.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c index f15989d..8462889 100644 --- a/src/vdagentd/vdagentd.c +++ b/src/vdagentd/vdagentd.c @@ -47,6 +47,14 @@ #define DEFAULT_UINPUT_DEVICE "/dev/uinput" +// Maximum number of transfers active at any time. +// Avoid DoS from client. +// As each transfer could likely end up taking a file descriptor +// it is good to have a limit less than the number of file descriptors +// in the process (by default 1024). The daemon do not open file +// descriptors for the transfers but the agents do. +#define MAX_ACTIVE_TRANSFERS 128 + struct agent_data { char *session; int width; @@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport, "Cancelling client file-xfer request %u", s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); return; + } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) { + VDAgentFileXferStatusError error = { + GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO), + GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES), + }; + size_t detail_size = sizeof(error); + if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size, + VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) { + detail_size = 0; + } + send_file_xfer_status(vport, + "Too many transfers ongoing. " + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size); + return; } msg_type = VDAGENTD_FILE_XFER_START; id = s->id; |