|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.1] tools: xenstored: if the reply is too big then send E2BIG error
commit 5cd1c730438c3c2cf164dd99a93627d3bcef2b9f
Author: Ian Campbell <ian.campbell@xxxxxxxxxx>
AuthorDate: Wed Oct 30 09:52:30 2013 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Oct 30 09:52:30 2013 +0100
tools: xenstored: if the reply is too big then send E2BIG error
This fixes the issue for both C and ocaml xenstored, however only the ocaml
xenstored is vulnerable in its default configuration.
Adding a new error appears to be safe, since bit libxenstore and the Linux
driver at least treat an unknown error code as EINVAL.
This is XSA-72 / CVE-2013-4416.
Original ocaml patch by Jerome Maloberti <jerome.maloberti@xxxxxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Signed-off-by: Thomas Sanders <thomas.sanders@xxxxxxxxxx>
master commit: 8b2c441a1b53a43a38b3c517e28f239da3349872
master date: 2013-10-29 15:45:53 +0000
---
tools/ocaml/xenstored/connection.ml | 11 ++++++++++-
tools/xenstore/xenstored_core.c | 5 +++++
xen/include/public/io/xs_wire.h | 3 ++-
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/tools/ocaml/xenstored/connection.ml
b/tools/ocaml/xenstored/connection.ml
index c15595b..6506dea 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -18,6 +18,8 @@ exception End_of_file
open Stdext
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
type watch = {
con: t;
token: string;
@@ -112,8 +114,15 @@ let restrict con domid =
let set_target con target_domid =
con.perm <- Perms.Connection.set_target (get_perm con)
~perms:[Perms.READ; Perms.WRITE] target_domid
+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
+ | Xenbus.Xb.Xenmmap _ -> true
+ | _ -> false
+
let send_reply con tid rid ty data =
- Xb.queue con.xb (Xb.Packet.create tid rid ty data)
+ if (String.length data) > xenstore_payload_max && (is_backend_mmap con)
then
+ Xb.queue con.xb (Xb.Packet.create tid rid Xb.Op.Error
"E2BIG\000")
+ else
+ Xb.queue con.xb (Xb.Packet.create tid rid ty data)
let send_error con tid rid err = send_reply con tid rid Xb.Op.Error (err ^
"\000")
let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 1749740..0707ef6 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -600,6 +600,11 @@ void send_reply(struct connection *conn, enum
xsd_sockmsg_type type,
{
struct buffered_data *bdata;
+ if ( len > XENSTORE_PAYLOAD_MAX ) {
+ send_error(conn, E2BIG);
+ return;
+ }
+
/* Message is a child of the connection context for auto-cleanup. */
bdata = new_buffer(conn);
bdata->buffer = talloc_array(bdata, char, len);
diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
index e1debce..f10ccd0 100644
--- a/xen/include/public/io/xs_wire.h
+++ b/xen/include/public/io/xs_wire.h
@@ -82,7 +82,8 @@ __attribute__((unused))
XSD_ERROR(EROFS),
XSD_ERROR(EBUSY),
XSD_ERROR(EAGAIN),
- XSD_ERROR(EISCONN)
+ XSD_ERROR(EISCONN),
+ XSD_ERROR(E2BIG)
};
#endif
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.1
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |