[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.11] tools/xenstore: drop watch event messages exceeding maximum size



commit 40537713d604ef8065e09fa3eb606b3782b0d3f0
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Dec 15 14:38:09 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 14:38:09 2020 +0100

    tools/xenstore: drop watch event messages exceeding maximum size
    
    By setting a watch with a very large tag it is possible to trick
    xenstored to send watch event messages exceeding the maximum allowed
    payload size. This might in turn lead to a crash of xenstored as the
    resulting error can cause dereferencing a NULL pointer in case there
    is no active request being handled by the guest the watch event is
    being sent to.
    
    Fix that by just dropping such watch events. Additionally modify the
    error handling to test the pointer to be not NULL before dereferencing
    it.
    
    This is XSA-324.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Acked-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 tools/xenstore/xenstored_core.c  | 3 +++
 tools/xenstore/xenstored_watch.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 4fbe5c759c..e8f2057a32 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -680,6 +680,9 @@ void send_reply(struct connection *conn, enum 
xsd_sockmsg_type type,
        /* Replies reuse the request buffer, events need a new one. */
        if (type != XS_WATCH_EVENT) {
                bdata = conn->in;
+               /* Drop asynchronous responses, e.g. errors for watch events. */
+               if (!bdata)
+                       return;
                bdata->inhdr = true;
                bdata->used = 0;
                conn->in = NULL;
diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index be2479721f..b2b77a3f03 100644
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -92,6 +92,10 @@ static void add_event(struct connection *conn,
        }
 
        len = strlen(name) + 1 + strlen(watch->token) + 1;
+       /* Don't try to send over-long events. */
+       if (len > XENSTORE_PAYLOAD_MAX)
+               return;
+
        data = talloc_array(ctx, char, len);
        if (!data)
                return;
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.11



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.