ia64/xen-unstable

changeset 16610:95bb6485d29d

xenstore size limits

* Documents the existing 4kby size limit on xenstore message payloads
* Causes xs.c in libxenstore to fail locally rather than violating
said limit (which is good because xenstored kills the client
connection if it's exceeded).
* Introduces some limits on path lengths in xenstored. I trust
no-one is using path lengths >2kby. This is good because currently
a domain client can create a 4kby relative path that the dom0 tools
cannot access since they'd have to specify the somewhat longer
absolute path.
* Removes uses of the host's PATH_MAX (!)

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Dec 14 10:15:00 2007 +0000 (2007-12-14)
parents a4fadcab5cb0
children 1f8797a74743
files docs/misc/xenstore.txt tools/xenstore/xenstored_core.c tools/xenstore/xenstored_watch.c tools/xenstore/xs.c tools/xenstore/xsls.c xen/include/public/io/xs_wire.h
line diff
     1.1 --- a/docs/misc/xenstore.txt	Fri Dec 14 10:12:15 2007 +0000
     1.2 +++ b/docs/misc/xenstore.txt	Fri Dec 14 10:15:00 2007 +0000
     1.3 @@ -38,7 +38,9 @@ The permitted character for paths set is
     1.4  the four punctuation characters -/_@ (hyphen slash underscore atsign).
     1.5  @ should be avoided except to specify special watches (see below).
     1.6  Doubled slashes and trailing slashes (except to specify the root) are
     1.7 -forbidden.  The empty path is also forbidden.
     1.8 +forbidden.  The empty path is also forbidden.  Paths longer than 3072
     1.9 +bytes are forbidden; clients specifying relative paths should keep
    1.10 +them to within 2048 bytes.  (See XENSTORE_*_PATH_MAX in xs_wire.h.)
    1.11  
    1.12  
    1.13  Communication with xenstore is via either sockets, or event channel
    1.14 @@ -56,6 +58,20 @@ order and must use req_id (and tx_id, if
    1.15  replies to requests.  (The current implementation always replies to
    1.16  requests in the order received but this should not be relied on.)
    1.17  
    1.18 +The payload length (len field of the header) is limited to 4096
    1.19 +(XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
    1.20 +limit, its xenstored connection will be immediately killed by
    1.21 +xenstored, which is usually catastrophic from the client's point of
    1.22 +view.  Clients (particularly domains, which cannot just reconnect)
    1.23 +should avoid this.
    1.24 +
    1.25 +Existing clients do not always contain defences against overly long
    1.26 +payloads.  Increasing xenstored's limit is therefore difficult; it
    1.27 +would require negotiation with the client, and obviously would make
    1.28 +parts of xenstore inaccessible to some clients.  In any case passing
    1.29 +bulk data through xenstore is not recommended as the performance
    1.30 +properties are poor.
    1.31 +
    1.32  
    1.33  ---------- Xenstore protocol details - introduction ----------
    1.34  
     2.1 --- a/tools/xenstore/xenstored_core.c	Fri Dec 14 10:12:15 2007 +0000
     2.2 +++ b/tools/xenstore/xenstored_core.c	Fri Dec 14 10:15:00 2007 +0000
     2.3 @@ -672,6 +672,9 @@ bool is_valid_nodename(const char *node)
     2.4  	if (strstr(node, "//"))
     2.5  		return false;
     2.6  
     2.7 +	if (strlen(node) > XENSTORE_ABS_PATH_MAX)
     2.8 +		return false;
     2.9 +
    2.10  	return valid_chars(node);
    2.11  }
    2.12  
    2.13 @@ -1281,7 +1284,7 @@ static void handle_input(struct connecti
    2.14  		if (in->used != sizeof(in->hdr))
    2.15  			return;
    2.16  
    2.17 -		if (in->hdr.msg.len > PATH_MAX) {
    2.18 +		if (in->hdr.msg.len > XENSTORE_PAYLOAD_MAX) {
    2.19  			syslog(LOG_ERR, "Client tried to feed us %i",
    2.20  			       in->hdr.msg.len);
    2.21  			goto bad_client;
     3.1 --- a/tools/xenstore/xenstored_watch.c	Fri Dec 14 10:12:15 2007 +0000
     3.2 +++ b/tools/xenstore/xenstored_watch.c	Fri Dec 14 10:15:00 2007 +0000
     3.3 @@ -125,6 +125,10 @@ void do_watch(struct connection *conn, s
     3.4  
     3.5  	if (strstarts(vec[0], "@")) {
     3.6  		relative = false;
     3.7 +		if (strlen(vec[0]) > XENSTORE_REL_PATH_MAX) {
     3.8 +			send_error(conn, EINVAL);
     3.9 +			return;
    3.10 +		}
    3.11  		/* check if valid event */
    3.12  	} else {
    3.13  		relative = !strstarts(vec[0], "/");
     4.1 --- a/tools/xenstore/xs.c	Fri Dec 14 10:12:15 2007 +0000
     4.2 +++ b/tools/xenstore/xs.c	Fri Dec 14 10:15:00 2007 +0000
     4.3 @@ -319,6 +319,11 @@ static void *xs_talkv(struct xs_handle *
     4.4  	for (i = 0; i < num_vecs; i++)
     4.5  		msg.len += iovec[i].iov_len;
     4.6  
     4.7 +	if (msg.len > XENSTORE_PAYLOAD_MAX) {
     4.8 +		errno = E2BIG;
     4.9 +		return 0;
    4.10 +	}
    4.11 +
    4.12  	ignorepipe.sa_handler = SIG_IGN;
    4.13  	sigemptyset(&ignorepipe.sa_mask);
    4.14  	ignorepipe.sa_flags = 0;
     5.1 --- a/tools/xenstore/xsls.c	Fri Dec 14 10:12:15 2007 +0000
     5.2 +++ b/tools/xenstore/xsls.c	Fri Dec 14 10:15:00 2007 +0000
     5.3 @@ -8,7 +8,7 @@
     5.4  #include <sys/ioctl.h>
     5.5  #include <termios.h>
     5.6  
     5.7 -#define STRING_MAX PATH_MAX
     5.8 +#define STRING_MAX XENSTORE_ABS_PATH_MAX+1024
     5.9  static int max_width = 80;
    5.10  static int desired_width = 60;
    5.11  static int show_whole_path = 0;
     6.1 --- a/xen/include/public/io/xs_wire.h	Fri Dec 14 10:12:15 2007 +0000
     6.2 +++ b/xen/include/public/io/xs_wire.h	Fri Dec 14 10:15:00 2007 +0000
     6.3 @@ -108,6 +108,13 @@ struct xenstore_domain_interface {
     6.4      XENSTORE_RING_IDX rsp_cons, rsp_prod;
     6.5  };
     6.6  
     6.7 +/* Violating this is very bad.  See docs/misc/xenstore.txt. */
     6.8 +#define XENSTORE_PAYLOAD_MAX 4096
     6.9 +
    6.10 +/* Violating these just gets you an error back */
    6.11 +#define XENSTORE_ABS_PATH_MAX 3072
    6.12 +#define XENSTORE_REL_PATH_MAX 2048
    6.13 +
    6.14  #endif /* _XS_WIRE_H */
    6.15  
    6.16  /*