oxenstored: Enforce a maximum message size of 4096 bytes

The maximum size of a message is part of the protocol spec in
  xen/include/public/io/xs_wire.h

Before this patch a client which sends an overly large message can
cause a buffer read overrun.

Note if a badly-behaved client sends a very large message
then it will be difficult for them to make their connection
work again-- they will probably need to reboot.

This is a security issue, part of XSA-38 / CVE-2013-0215.

Signed-off-by: David Scott <dave.scott@eu.citrix.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-unstable changeset: 26522:ffd30e7388ad
Backport-requested-by: security@xen.org
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml
index 3558889589..d4d1c7bdec 100644
--- a/tools/ocaml/libs/xb/partial.ml
+++ b/tools/ocaml/libs/xb/partial.ml
@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size"
 external header_of_string_internal: string -> int * int * int * int
          = "stub_header_of_string"
 
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
 let of_string s =
 	let tid, rid, opint, dlen = header_of_string_internal s in
+	(* A packet which is bigger than xenstore_payload_max is illegal.
+	   This will leave the guest connection is a bad state and will
+	   be hard to recover from without restarting the connection
+	   (ie rebooting the guest) *)
+	let dlen = min xenstore_payload_max dlen in
 	{
 		tid = tid;
 		rid = rid;
@@ -38,6 +45,7 @@ let of_string s =
 	}
 
 let append pkt s sz =
+	if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
 	Buffer.add_string pkt.buf (String.sub s 0 sz)
 
 let to_complete pkt =