[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.14] tools/xenstore: drop watch event messages exceeding maximum size



commit 7214cc7457a2862984039e96f21a5e03bfd16c50
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Dec 15 14:08:21 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 14:08:21 2020 +0100

    tools/xenstore: drop watch event messages exceeding maximum size
    
    By setting a watch with a very large tag it is possible to trick
    xenstored to send watch event messages exceeding the maximum allowed
    payload size. This might in turn lead to a crash of xenstored as the
    resulting error can cause dereferencing a NULL pointer in case there
    is no active request being handled by the guest the watch event is
    being sent to.
    
    Fix that by just dropping such watch events. Additionally modify the
    error handling to test the pointer to be not NULL before dereferencing
    it.
    
    This is XSA-324.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Acked-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 tools/xenstore/xenstored_core.c  | 3 +++
 tools/xenstore/xenstored_watch.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 505560a5de..56b5e4578b 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -682,6 +682,9 @@ void send_reply(struct connection *conn, enum 
xsd_sockmsg_type type,
        /* Replies reuse the request buffer, events need a new one. */
        if (type != XS_WATCH_EVENT) {
                bdata = conn->in;
+               /* Drop asynchronous responses, e.g. errors for watch events. */
+               if (!bdata)
+                       return;
                bdata->inhdr = true;
                bdata->used = 0;
                conn->in = NULL;
diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index 71c108ea99..9ff20690c0 100644
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -92,6 +92,10 @@ static void add_event(struct connection *conn,
        }
 
        len = strlen(name) + 1 + strlen(watch->token) + 1;
+       /* Don't try to send over-long events. */
+       if (len > XENSTORE_PAYLOAD_MAX)
+               return;
+
        data = talloc_array(ctx, char, len);
        if (!data)
                return;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.