spice-vdagent/SOURCES/0011-Avoids-uncontrolled-active_xfers-allocations.patch

From b173eba1698138f92b08d4deeaac4d2979a67bbf Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Fri, 2 Oct 2020 12:27:59 +0100
Subject: [PATCH vd_agent_linux 11/17] Avoids uncontrolled "active_xfers"
 allocations

Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
index 8961a99..b31941d 100644
--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -47,6 +47,14 @@
 
 #define DEFAULT_UINPUT_DEVICE "/dev/uinput"
 
+// Maximum number of transfers active at any time.
+// Avoid DoS from client.
+// As each transfer could likely end up taking a file descriptor
+// it is good to have a limit less than the number of file descriptors
+// in the process (by default 1024). The daemon do not open file
+// descriptors for the transfers but the agents do.
+#define MAX_ACTIVE_TRANSFERS 128
+
 struct agent_data {
     char *session;
     int width;
@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport,
                "Cancelling client file-xfer request %u",
                s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
             return;
+        } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
+            VDAgentFileXferStatusError error = {
+                GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO),
+                GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES),
+            };
+            size_t detail_size = sizeof(error);
+            if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size,
+                                         VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) {
+                detail_size = 0;
+            }
+            send_file_xfer_status(vport,
+               "Too many transfers ongoing. "
+               "Cancelling client file-xfer request %u",
+               s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size);
+            return;
         }
         msg_type = VDAGENTD_FILE_XFER_START;
         id = s->id;
-- 
2.26.2
import spice-vdagent-0.20.0-3.el8 2021-05-18 06:39:58 +00:00			`From b173eba1698138f92b08d4deeaac4d2979a67bbf Mon Sep 17 00:00:00 2001`
			`From: Frediano Ziglio <freddy77@gmail.com>`
			`Date: Fri, 2 Oct 2020 12:27:59 +0100`
			`Subject: [PATCH vd_agent_linux 11/17] Avoids uncontrolled "active_xfers"`
			`allocations`

			`Limit the number of active file transfers possibly causing DoSes`
			`consuming memory in "active_xfers".`

			`This issue was reported by SUSE security team.`

			`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
			`Acked-by: Uri Lublin <uril@redhat.com>`
			`---`
			`src/vdagentd/vdagentd.c \| 23 +++++++++++++++++++++++`
			`1 file changed, 23 insertions(+)`

			`diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c`
			`index 8961a99..b31941d 100644`
			`--- a/src/vdagentd/vdagentd.c`
			`+++ b/src/vdagentd/vdagentd.c`
			`@@ -47,6 +47,14 @@`

			`#define DEFAULT_UINPUT_DEVICE "/dev/uinput"`

			`+// Maximum number of transfers active at any time.`
			`+// Avoid DoS from client.`
			`+// As each transfer could likely end up taking a file descriptor`
			`+// it is good to have a limit less than the number of file descriptors`
			`+// in the process (by default 1024). The daemon do not open file`
			`+// descriptors for the transfers but the agents do.`
			`+#define MAX_ACTIVE_TRANSFERS 128`
			`+`
			`struct agent_data {`
			`char *session;`
			`int width;`
			`@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport,`
			`"Cancelling client file-xfer request %u",`
			`s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);`
			`return;`
			`+ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {`
			`+ VDAgentFileXferStatusError error = {`
			`+ GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO),`
			`+ GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES),`
			`+ };`
			`+ size_t detail_size = sizeof(error);`
			`+ if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size,`
			`+ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) {`
			`+ detail_size = 0;`
			`+ }`
			`+ send_file_xfer_status(vport,`
			`+ "Too many transfers ongoing. "`
			`+ "Cancelling client file-xfer request %u",`
			`+ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size);`
			`+ return;`
			`}`
			`msg_type = VDAGENTD_FILE_XFER_START;`
			`id = s->id;`
			`--`
			`2.26.2`