|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.2] tools: xenstored: if the reply is too big then send E2BIG error
commit a2b1b99d74c7729b8346eeef23508be7e3d6fdca
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Tue Oct 29 15:45:53 2013 +0000
Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Tue Oct 29 16:02:36 2013 +0000
tools: xenstored: if the reply is too big then send E2BIG error
This fixes the issue for both C and ocaml xenstored, however only the ocaml
xenstored is vulnerable in its default configuration.
Adding a new error appears to be safe, since bit libxenstore and the Linux
driver at least treat an unknown error code as EINVAL.
This is XSA-72 / CVE-2013-4416.
Original ocaml patch by Jerome Maloberti <jerome.maloberti@xxxxxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Signed-off-by: Thomas Sanders <thomas.sanders@xxxxxxxxxx>
(cherry picked from commit 8b2c441a1b53a43a38b3c517e28f239da3349872)
(cherry picked from commit d88ac91ef2f0a93ea9359a8133405dbd78abc89b)
---
tools/ocaml/xenstored/connection.ml | 11 ++++++++++-
tools/xenstore/xenstored_core.c | 5 +++++
xen/include/public/io/xs_wire.h | 3 ++-
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/tools/ocaml/xenstored/connection.ml
b/tools/ocaml/xenstored/connection.ml
index 273fe4d..47695f8 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -18,6 +18,8 @@ exception End_of_file
open Stdext
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
type watch = {
con: t;
token: string;
@@ -112,8 +114,15 @@ let restrict con domid =
let set_target con target_domid =
con.perm <- Perms.Connection.set_target (get_perm con)
~perms:[Perms.READ; Perms.WRITE] target_domid
+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
+ | Xenbus.Xb.Xenmmap _ -> true
+ | _ -> false
+
let send_reply con tid rid ty data =
- Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
+ if (String.length data) > xenstore_payload_max && (is_backend_mmap con)
then
+ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid
Xenbus.Xb.Op.Error "E2BIG\000")
+ else
+ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
let send_error con tid rid err = send_reply con tid rid Xenbus.Xb.Op.Error
(err ^ "\000")
let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index bd44645..07338b5 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -599,6 +599,11 @@ void send_reply(struct connection *conn, enum
xsd_sockmsg_type type,
{
struct buffered_data *bdata;
+ if ( len > XENSTORE_PAYLOAD_MAX ) {
+ send_error(conn, E2BIG);
+ return;
+ }
+
/* Message is a child of the connection context for auto-cleanup. */
bdata = new_buffer(conn);
bdata->buffer = talloc_array(bdata, char, len);
diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
index 7e454c4..70a048a 100644
--- a/xen/include/public/io/xs_wire.h
+++ b/xen/include/public/io/xs_wire.h
@@ -83,7 +83,8 @@ __attribute__((unused))
XSD_ERROR(EROFS),
XSD_ERROR(EBUSY),
XSD_ERROR(EAGAIN),
- XSD_ERROR(EISCONN)
+ XSD_ERROR(EISCONN),
+ XSD_ERROR(E2BIG)
};
#endif
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.2
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |