Commit 9d35d8a8 authored by Frediano Ziglio's avatar Frediano Ziglio
Browse files

Avoids uncontrolled "active_xfers" allocations



Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".

This issue was reported by SUSE security team.
Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin's avatarUri Lublin <uril@redhat.com>
parent 1a8b93ca
......@@ -47,6 +47,14 @@
#define DEFAULT_UINPUT_DEVICE "/dev/uinput"
// Maximum number of transfers active at any time.
// Avoid DoS from client.
// As each transfer could likely end up taking a file descriptor
// it is good to have a limit less than the number of file descriptors
// in the process (by default 1024). The daemon do not open file
// descriptors for the transfers but the agents do.
#define MAX_ACTIVE_TRANSFERS 128
struct agent_data {
char *session;
int width;
......@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport,
"Cancelling client file-xfer request %u",
s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
return;
} else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
VDAgentFileXferStatusError error = {
GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO),
GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES),
};
size_t detail_size = sizeof(error);
if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size,
VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) {
detail_size = 0;
}
send_file_xfer_status(vport,
"Too many transfers ongoing. "
"Cancelling client file-xfer request %u",
s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size);
return;
}
msg_type = VDAGENTD_FILE_XFER_START;
id = s->id;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment