Backport of: From 53a5266e90ea09a5522f5ed867150a75c74052c3 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <freddy77@gmail.com> Date: Fri, 2 Oct 2020 12:27:59 +0100 Subject: [PATCH 03/10] Avoids uncontrolled "active_xfers" allocations Limit the number of active file transfers possibly causing DoSes consuming memory in "active_xfers". This issue was reported by SUSE security team. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Uri Lublin <uril@redhat.com> --- src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) --- a/src/vdagentd/vdagentd.c +++ b/src/vdagentd/vdagentd.c @@ -47,6 +47,14 @@ #define DEFAULT_UINPUT_DEVICE "/dev/uinput" +// Maximum number of transfers active at any time. +// Avoid DoS from client. +// As each transfer could likely end up taking a file descriptor +// it is good to have a limit less than the number of file descriptors +// in the process (by default 1024). The daemon do not open file +// descriptors for the transfers but the agents do. +#define MAX_ACTIVE_TRANSFERS 128 + struct agent_data { char *session; int width; @@ -344,6 +352,12 @@ static void do_client_file_xfer(struct v "Cancelling client file-xfer request %u", s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); return; + } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) { + send_file_xfer_status(vport, + "Too many transfers ongoing. " + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0); + return; } msg_type = VDAGENTD_FILE_XFER_START; id = s->id;