From 36c80e29e36eee02f20f18e7f32267442b18c8bd Mon Sep 17 00:00:00 2001
From: Pawel Wieczorkiewicz <wipawel@amazon.de>
Date: Fri, 27 Oct 2017 16:32:15 +0000
Subject: [PATCH] tools/xenstored: Check number of strings passed to
 do_control()

It is possible to send a zero-string message body to xenstore's
XS_CONTROL handling function. Then the number of strings is used
for an array allocation. This leads to a crash in strcmp() in a
CONTROL sub-command invocation loop.
The output of xs_count_string() should be verified and all 0 or
negative values should be rejected with an EINVAL. At least the
sub-command name must be specified.

The xenstore crash can only be triggered from within dom0 (there
is a check in do_control() rejecting all non-dom0 requests with
an EACCES).

Testing: reproduced with the following command:
python -c 'print 16*"\x00"' | nc -U $XENSTORED_RUNDIR/socket

Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Martin Pohlack <mpohlack@amazon.de>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Julien Grall <julien.grall@linaro.org>
---
 tools/xenstore/xenstored_control.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 7c149117b1..e4b8aa95ab 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -184,6 +184,8 @@ int do_control(struct connection *conn, struct buffered_data *in)
 		return EACCES;
 
 	num = xs_count_strings(in->buffer, in->used);
+	if (num < 1)
+		return EINVAL;
 	vec = talloc_array(in, char *, num);
 	if (!vec)
 		return ENOMEM;
-- 
2.39.5