[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.2-testing] oxenstored: Enforce a maximum message size of 4096 bytes

  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.2-testing <patchbot@xxxxxxx>
  • Date: Sat, 09 Feb 2013 00:11:08 +0000
  • Delivery-date: Sat, 09 Feb 2013 00:11:24 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1360247048 0
# Node ID c713f1f7d3c1add40bf94539447480fe1cd5cd0c
# Parent  b150d8787a05379037ce5e0234c49e805c7b0d91
oxenstored: Enforce a maximum message size of 4096 bytes

The maximum size of a message is part of the protocol spec in
  xen/include/public/io/xs_wire.h

Before this patch a client which sends an overly large message can
cause a buffer read overrun.

Note if a badly-behaved client sends a very large message
then it will be difficult for them to make their connection
work again-- they will probably need to reboot.

This is a security issue, part of XSA-38 / CVE-2013-0215.

Signed-off-by: David Scott <dave.scott@xxxxxxxxxxxxx>
Acked-by: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

xen-unstable changeset: 26522:ffd30e7388ad
Backport-requested-by: security@xxxxxxx
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r b150d8787a05 -r c713f1f7d3c1 tools/ocaml/libs/xb/partial.ml
--- a/tools/ocaml/libs/xb/partial.ml    Thu Feb 07 14:23:56 2013 +0000
+++ b/tools/ocaml/libs/xb/partial.ml    Thu Feb 07 14:24:08 2013 +0000
@@ -27,8 +27,15 @@ external header_size: unit -> int = "stu
 external header_of_string_internal: string -> int * int * int * int
          = "stub_header_of_string"
 
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
 let of_string s =
        let tid, rid, opint, dlen = header_of_string_internal s in
+       (* A packet which is bigger than xenstore_payload_max is illegal.
+          This will leave the guest connection is a bad state and will
+          be hard to recover from without restarting the connection
+          (ie rebooting the guest) *)
+       let dlen = min xenstore_payload_max dlen in
        {
                tid = tid;
                rid = rid;
@@ -38,6 +45,7 @@ let of_string s =
        }
 
 let append pkt s sz =
+       if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
        Buffer.add_string pkt.buf (String.sub s 0 sz)
 
 let to_complete pkt =

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.