From: Ian Campbell <ian.campbell@citrix.com>
Date: Wed, 30 Oct 2013 08:52:30 +0000 (+0100)
Subject: tools: xenstored: if the reply is too big then send E2BIG error
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=5cd1c730438c3c2cf164dd99a93627d3bcef2b9f;p=xen.git

tools: xenstored: if the reply is too big then send E2BIG error

This fixes the issue for both C and ocaml xenstored, however only the ocaml
xenstored is vulnerable in its default configuration.

Adding a new error appears to be safe, since bit libxenstore and the Linux
driver at least treat an unknown error code as EINVAL.

This is XSA-72 / CVE-2013-4416.

Original ocaml patch by Jerome Maloberti <jerome.maloberti@citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>
master commit: 8b2c441a1b53a43a38b3c517e28f239da3349872
master date: 2013-10-29 15:45:53 +0000
---

diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml
index c15595b4da..6506dea31c 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -18,6 +18,8 @@ exception End_of_file
 
 open Stdext
 
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
 type watch = {
 	con: t;
 	token: string;
@@ -112,8 +114,15 @@ let restrict con domid =
 let set_target con target_domid =
 	con.perm <- Perms.Connection.set_target (get_perm con) ~perms:[Perms.READ; Perms.WRITE] target_domid
 
+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
+	| Xenbus.Xb.Xenmmap _ -> true
+	| _ -> false
+
 let send_reply con tid rid ty data =
-	Xb.queue con.xb (Xb.Packet.create tid rid ty data)
+	if (String.length data) > xenstore_payload_max && (is_backend_mmap con) then
+		Xb.queue con.xb (Xb.Packet.create tid rid Xb.Op.Error "E2BIG\000")
+	else
+		Xb.queue con.xb (Xb.Packet.create tid rid ty data)
 
 let send_error con tid rid err = send_reply con tid rid Xb.Op.Error (err ^ "\000")
 let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 1749740482..0707ef6d07 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -600,6 +600,11 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
 {
 	struct buffered_data *bdata;
 
+	if ( len > XENSTORE_PAYLOAD_MAX ) {
+		send_error(conn, E2BIG);
+		return;
+	}
+
 	/* Message is a child of the connection context for auto-cleanup. */
 	bdata = new_buffer(conn);
 	bdata->buffer = talloc_array(bdata, char, len);
diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
index e1debceb63..f10ccd0770 100644
--- a/xen/include/public/io/xs_wire.h
+++ b/xen/include/public/io/xs_wire.h
@@ -82,7 +82,8 @@ __attribute__((unused))
     XSD_ERROR(EROFS),
     XSD_ERROR(EBUSY),
     XSD_ERROR(EAGAIN),
-    XSD_ERROR(EISCONN)
+    XSD_ERROR(EISCONN),
+    XSD_ERROR(E2BIG)
 };
 #endif