tools/xenstore: drop watch event messages exceeding maximum size

By setting a watch with a very large tag it is possible to trick
xenstored to send watch event messages exceeding the maximum allowed
payload size. This might in turn lead to a crash of xenstored as the
resulting error can cause dereferencing a NULL pointer in case there
is no active request being handled by the guest the watch event is
being sent to.

Fix that by just dropping such watch events. Additionally modify the
error handling to test the pointer to be not NULL before dereferencing
it.

This is XSA-324.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Julien Grall <jgrall@amazon.com>

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 2a86c4aa5bcee170f7dd7d13eb23a3d853c3318e..65291414a338846d3b4680804ec8a15654d9b0df 100644 (file)
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -670,6 +670,9 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
        /* Replies reuse the request buffer, events need a new one. */
        if (type != XS_WATCH_EVENT) {
                bdata = conn->in;
+               /* Drop asynchronous responses, e.g. errors for watch events. */
+               if (!bdata)
+                       return;
                bdata->inhdr = true;
                bdata->used = 0;
                conn->in = NULL;

diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index be2479721fc9c886fe78a233df97dac5d23927a1..b2b77a3f03f26b72e30169eb38948b121e408333 100644 (file)
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -92,6 +92,10 @@ static void add_event(struct connection *conn,
        }
 
        len = strlen(name) + 1 + strlen(watch->token) + 1;
+       /* Don't try to send over-long events. */
+       if (len > XENSTORE_PAYLOAD_MAX)
+               return;
+
        data = talloc_array(ctx, char, len);
        if (!data)
                return;