From 9d35d8a86fb310fc1f29d428c0a96995948d2357 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Fri, 2 Oct 2020 12:27:59 +0100
Subject: [PATCH] Avoids uncontrolled "active_xfers" allocations

Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>

---
 src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -46,6 +46,14 @@
 
 #define DEFAULT_UINPUT_DEVICE "/dev/uinput"
 
+// Maximum number of transfers active at any time.
+// Avoid DoS from client.
+// As each transfer could likely end up taking a file descriptor
+// it is good to have a limit less than the number of file descriptors
+// in the process (by default 1024). The daemon do not open file
+// descriptors for the transfers but the agents do.
+#define MAX_ACTIVE_TRANSFERS 128
+
 struct agent_data {
     char *session;
     int width;
@@ -372,6 +380,12 @@ static void do_client_file_xfer(VirtioPo
                "Cancelling client file-xfer request %u",
                s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
             return;
+        } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
+            send_file_xfer_status(vport,
+               "Too many transfers ongoing. "
+               "Cancelling client file-xfer request %u",
+               s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0);
+            return;
         }
         msg_type = VDAGENTD_FILE_XFER_START;
         id = s->id;
-- 
GitLab