diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-02-07 14:26:37 +0000 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-02-07 14:26:37 +0000 |
commit | 4d249d79db70dc2756f6c102e2ddaeee14d7ac42 (patch) | |
tree | 444480fcd534aad456a324834247bea8b82268b2 | |
parent | a69bad54a915d039e3e571304d096898bd51e0ac (diff) | |
download | xen-4d249d79db70dc2756f6c102e2ddaeee14d7ac42.tar.gz xen-4d249d79db70dc2756f6c102e2ddaeee14d7ac42.tar.bz2 xen-4d249d79db70dc2756f6c102e2ddaeee14d7ac42.zip |
oxenstored: Enforce a maximum message size of 4096 bytes
The maximum size of a message is part of the protocol spec in
xen/include/public/io/xs_wire.h
Before this patch a client which sends an overly large message can
cause a buffer read overrun.
Note if a badly-behaved client sends a very large message
then it will be difficult for them to make their connection
work again-- they will probably need to reboot.
This is a security issue, part of XSA-38 / CVE-2013-0215.
Signed-off-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 26522:ffd30e7388ad
Backport-requested-by: security@xen.org
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | tools/ocaml/libs/xb/partial.ml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml index 3558889589..d4d1c7bdec 100644 --- a/tools/ocaml/libs/xb/partial.ml +++ b/tools/ocaml/libs/xb/partial.ml @@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size" external header_of_string_internal: string -> int * int * int * int = "stub_header_of_string" +let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *) + let of_string s = let tid, rid, opint, dlen = header_of_string_internal s in + (* A packet which is bigger than xenstore_payload_max is illegal. + This will leave the guest connection is a bad state and will + be hard to recover from without restarting the connection + (ie rebooting the guest) *) + let dlen = min xenstore_payload_max dlen in { tid = tid; rid = rid; @@ -38,6 +45,7 @@ let of_string s = } let append pkt s sz = + if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer"; Buffer.add_string pkt.buf (String.sub s 0 sz) let to_complete pkt = |