Add bounds checking on virDomainGetJobStats RPC call

The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/daemon/remote.c b/daemon/remote.c
index a11ba942f3f49e8450b44cbb7a72faba0ea4b4ba..ad7801193206ae61315f31a948666c23412c7201 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED,
                              &nparams, args->flags) < 0)
         goto cleanup;
 
+    if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       nparams, REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     if (remoteSerializeTypedParameters(params, nparams,
                                        &ret->params.params_val,
                                        &ret->params.params_len,

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 30f8f905b45857ea78d62fe0acd2db7c5347132d..33b2b0fa7e74737563799b7fc2599c159e72c147 100644 (file)
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain,
              (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1)
         goto done;
 
+    if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       ret.params.params_len,
+                       REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     *type = ret.type;
 
     if (remoteDeserializeTypedParameters(ret.params.params_val,

diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 4262c3439ab6a896a4d704d6713c5b3eaf2125f7..eff7e1c834c8145247cce72c4c0a5ea72d0fb725 100644 (file)
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
 /* Upper limit on migrate parameters */
 const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
 
+/* Upper limit on number of job stats */
+const REMOTE_DOMAIN_JOB_STATS_MAX = 16;
+
 /* UUID.  VIR_UUID_BUFLEN definition comes from libvirt.h */
 typedef opaque remote_uuid[VIR_UUID_BUFLEN];
 
@@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args {
 
 struct remote_domain_get_job_stats_ret {
     int type;
-    remote_typed_param params<>;
+    remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>;
 };