From 6d7d0b1869ed293e3208d11f375cecea0129dfc5 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 19 Aug 2013 12:42:31 +0100
Subject: [PATCH] Add bounds checking on virDomainGetJobStats RPC call

The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 daemon/remote.c              | 7 +++++++
 src/remote/remote_driver.c   | 8 ++++++++
 src/remote/remote_protocol.x | 5 ++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index a11ba942f3..ad78011932 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -4579,6 +4579,13 @@ remoteDispatchDomainGetJobStats(virNetServerPtr server ATTRIBUTE_UNUSED,
                              &nparams, args->flags) < 0)
         goto cleanup;
 
+    if (nparams > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       nparams, REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     if (remoteSerializeTypedParameters(params, nparams,
                                        &ret->params.params_val,
                                        &ret->params.params_len,
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 30f8f905b4..33b2b0fa7e 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -5998,6 +5998,14 @@ remoteDomainGetJobStats(virDomainPtr domain,
              (xdrproc_t) xdr_remote_domain_get_job_stats_ret, (char *) &ret) == -1)
         goto done;
 
+    if (ret.params.params_len > REMOTE_DOMAIN_JOB_STATS_MAX) {
+        virReportError(VIR_ERR_RPC,
+                       _("Too many job stats '%d' for limit '%d'"),
+                       ret.params.params_len,
+                       REMOTE_DOMAIN_JOB_STATS_MAX);
+        goto cleanup;
+    }
+
     *type = ret.type;
 
     if (remoteDeserializeTypedParameters(ret.params.params_val,
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 4262c3439a..eff7e1c834 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -237,6 +237,9 @@ const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
 /* Upper limit on migrate parameters */
 const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
 
+/* Upper limit on number of job stats */
+const REMOTE_DOMAIN_JOB_STATS_MAX = 16;
+
 /* UUID.  VIR_UUID_BUFLEN definition comes from libvirt.h */
 typedef opaque remote_uuid[VIR_UUID_BUFLEN];
 
@@ -2196,7 +2199,7 @@ struct remote_domain_get_job_stats_args {
 
 struct remote_domain_get_job_stats_ret {
     int type;
-    remote_typed_param params<>;
+    remote_typed_param params<REMOTE_DOMAIN_JOB_STATS_MAX>;
 };
 
 
-- 
2.39.5