From 89fa75d69010e6d0d107b7025538fe14201da489 Mon Sep 17 00:00:00 2001
From: Jan Tomko <jtomko@redhat.com>
Date: Wed, 14 Oct 2020 16:38:07 +0800
Subject: [PATCH] rpc: gendispatch: handle empty flags

CVE-2020-25637

Prepare for omission of the <flagname> in remote_protocol.x
@acl annotations:
 @acl: <object>:<permission>:<flagname>
so that we can add more field after, e.g.:
 @acl: <object>:<permission>::<field>

Signed-off-by: Jan Tomko <jtomko@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

cherry-pick from commit 955029bd0ad7ef96000f529ac38204a8f4a96401
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
 src/rpc/gendispatch.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index 0b2ae59910..6feb1c8320 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -2119,7 +2119,7 @@ elsif ($mode eq "client") {
                 if ($acl[$i]->{object} ne $acl[0]->{object}) {
                     die "acl for '$call->{ProcName}' cannot check different objects";
                 }
-                if (defined $acl[$i]->{flags}) {
+                if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
                     $checkflags = 1;
                 }
             }
@@ -2207,7 +2207,7 @@ elsif ($mode eq "client") {
                     my $method = "virAccessManagerCheck" . $object;
                     my $space = ' ' x length($method);
                     print "    if (";
-                    if (defined $acl->{flags}) {
+                    if (defined $acl->{flags} && length $acl->{flags}) {
                         my $flags = $acl->{flags};
                         if ($flags =~ /^\!/) {
                             $flags = substr $flags, 1;
-- 
2.23.0