server: Limit the access to SpiceDataHeader of messages - only via red_channel.

author: Yonit Halperin <yhalperi@redhat.com> 2012-01-05 17:31:34 +0200
committer: Yonit Halperin <yhalperi@redhat.com> 2012-01-12 16:17:02 +0200
commit: 8b64b95c4339c145867e42f71b3206378bc7c83b (patch)
tree: 1c1ade429b293ce64fb75eae56831a61a4c4fd6b /server/red_tunnel_worker.c
parent: a54f26d04e9a391977a8030d609b52e50243ba52 (diff)
download: spice-8b64b95c4339c145867e42f71b3206378bc7c83b.tar.gz
spice-8b64b95c4339c145867e42f71b3206378bc7c83b.tar.xz
spice-8b64b95c4339c145867e42f71b3206378bc7c83b.zip
1 files changed, 22 insertions, 21 deletions
diff --git a/server/red_tunnel_worker.c b/server/red_tunnel_worker.c
index 1e8267e8..250e8b3e 100644
--- a/server/red_tunnel_worker.c
+++ b/server/red_tunnel_worker.c
@@ -1644,27 +1644,27 @@ static int tunnel_channel_handle_socket_token(TunnelChannelClient *channel, RedS
 }
 
 static uint8_t *tunnel_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
-                                                 SpiceDataHeader *msg_header)
+                                                 uint16_t type, uint32_t size)
 {
     TunnelChannelClient *tunnel_channel = (TunnelChannelClient *)rcc->channel;
 
-    if (msg_header->type == SPICE_MSGC_TUNNEL_SOCKET_DATA) {
+    if (type == SPICE_MSGC_TUNNEL_SOCKET_DATA) {
         return (__tunnel_worker_alloc_socket_rcv_buf(tunnel_channel->worker)->buf);
-    } else if ((msg_header->type == SPICE_MSGC_MIGRATE_DATA) ||
-               (msg_header->type == SPICE_MSGC_TUNNEL_SERVICE_ADD)) {
-        return spice_malloc(msg_header->size);
+    } else if ((type == SPICE_MSGC_MIGRATE_DATA) ||
+               (type == SPICE_MSGC_TUNNEL_SERVICE_ADD)) {
+        return spice_malloc(size);
     } else {
         return (tunnel_channel->control_rcv_buf);
     }
 }
 
 // called by the receive routine of the channel, before the buffer was assigned to a socket
-static void tunnel_channel_release_msg_rcv_buf(RedChannelClient *rcc, SpiceDataHeader *msg_header,
+static void tunnel_channel_release_msg_rcv_buf(RedChannelClient *rcc, uint16_t type, uint32_t size,
                                                uint8_t *msg)
 {
     TunnelChannelClient *tunnel_channel = (TunnelChannelClient *)rcc->channel;
 
-    if (msg_header->type == SPICE_MSGC_TUNNEL_SOCKET_DATA) {
+    if (type == SPICE_MSGC_TUNNEL_SOCKET_DATA) {
         ASSERT(!(SPICE_CONTAINEROF(msg, RedSocketRawRcvBuf, buf)->base.usr_opaque));
         __tunnel_worker_free_socket_rcv_buf(tunnel_channel->worker,
                                             SPICE_CONTAINEROF(msg, RedSocketRawRcvBuf, buf));
@@ -2243,12 +2243,13 @@ error:
 }
 
 //  msg was allocated by tunnel_channel_alloc_msg_rcv_buf
-static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader *header, uint8_t *msg)
+static int tunnel_channel_handle_message(RedChannelClient *rcc, uint16_t type,
+                                         uint32_t size, uint8_t *msg)
 {
     TunnelChannelClient *tunnel_channel = (TunnelChannelClient *)rcc->channel;
     RedSocket *sckt = NULL;
     // retrieve the sckt
-    switch (header->type) {
+    switch (type) {
     case SPICE_MSGC_MIGRATE_FLUSH_MARK:
     case SPICE_MSGC_MIGRATE_DATA:
     case SPICE_MSGC_TUNNEL_SERVICE_ADD:
@@ -2269,12 +2270,12 @@ static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader
         }
         break;
     default:
-        return red_channel_client_handle_message(rcc, header->size, header->type, msg);
+        return red_channel_client_handle_message(rcc, size, type, msg);
     }
 
-    switch (header->type) {
+    switch (type) {
     case SPICE_MSGC_TUNNEL_SERVICE_ADD:
-        if (header->size < sizeof(SpiceMsgcTunnelAddGenericService)) {
+        if (size < sizeof(SpiceMsgcTunnelAddGenericService)) {
             red_printf("bad message size");
             free(msg);
             return FALSE;
@@ -2285,7 +2286,7 @@ static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader
         red_printf("REDC_TUNNEL_REMOVE_SERVICE not supported yet");
         return FALSE;
     case SPICE_MSGC_TUNNEL_SOCKET_OPEN_ACK:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketOpenAck)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketOpenAck)) {
             red_printf("bad message size");
             return FALSE;
         }
@@ -2294,7 +2295,7 @@ static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader
                                                         ((SpiceMsgcTunnelSocketOpenAck *)msg)->tokens);
 
     case SPICE_MSGC_TUNNEL_SOCKET_OPEN_NACK:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketOpenNack)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketOpenNack)) {
             red_printf("bad message size");
             return FALSE;
         }
@@ -2302,35 +2303,35 @@ static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader
         return tunnel_channel_handle_socket_connect_nack(tunnel_channel, sckt);
     case SPICE_MSGC_TUNNEL_SOCKET_DATA:
     {
-        if (header->size < sizeof(SpiceMsgcTunnelSocketData)) {
+        if (size < sizeof(SpiceMsgcTunnelSocketData)) {
             red_printf("bad message size");
             return FALSE;
         }
 
         return tunnel_channel_handle_socket_receive_data(tunnel_channel, sckt,
                                                     SPICE_CONTAINEROF(msg, RedSocketRawRcvBuf, buf),
-                                                    header->size - sizeof(SpiceMsgcTunnelSocketData));
+                                                    size - sizeof(SpiceMsgcTunnelSocketData));
     }
     case SPICE_MSGC_TUNNEL_SOCKET_FIN:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketFin)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketFin)) {
             red_printf("bad message size");
             return FALSE;
         }
         return tunnel_channel_handle_socket_fin(tunnel_channel, sckt);
     case SPICE_MSGC_TUNNEL_SOCKET_CLOSED:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketClosed)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketClosed)) {
             red_printf("bad message size");
             return FALSE;
         }
         return tunnel_channel_handle_socket_closed(tunnel_channel, sckt);
     case SPICE_MSGC_TUNNEL_SOCKET_CLOSED_ACK:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketClosedAck)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketClosedAck)) {
             red_printf("bad message size");
             return FALSE;
         }
         return tunnel_channel_handle_socket_closed_ack(tunnel_channel, sckt);
     case SPICE_MSGC_TUNNEL_SOCKET_TOKEN:
-        if (header->size != sizeof(SpiceMsgcTunnelSocketTokens)) {
+        if (size != sizeof(SpiceMsgcTunnelSocketTokens)) {
             red_printf("bad message size");
             return FALSE;
         }
@@ -2338,7 +2339,7 @@ static int tunnel_channel_handle_message(RedChannelClient *rcc, SpiceDataHeader
         return tunnel_channel_handle_socket_token(tunnel_channel, sckt,
                                                   (SpiceMsgcTunnelSocketTokens *)msg);
     default:
-        return red_channel_client_handle_message(rcc, header->size, header->type, msg);
+        return red_channel_client_handle_message(rcc, size, type, msg);
     }
     return TRUE;
 }
author	Yonit Halperin <yhalperi@redhat.com>	2012-01-05 17:31:34 +0200
committer	Yonit Halperin <yhalperi@redhat.com>	2012-01-12 16:17:02 +0200
commit	8b64b95c4339c145867e42f71b3206378bc7c83b (patch)
tree	1c1ade429b293ce64fb75eae56831a61a4c4fd6b /server/red_tunnel_worker.c
parent	a54f26d04e9a391977a8030d609b52e50243ba52 (diff)
download	spice-8b64b95c4339c145867e42f71b3206378bc7c83b.tar.gz spice-8b64b95c4339c145867e42f71b3206378bc7c83b.tar.xz spice-8b64b95c4339c145867e42f71b3206378bc7c83b.zip