diff options
| author | Richard W.M. Jones <rjones@redhat.com> | 2012-05-28 17:55:07 +0100 |
|---|---|---|
| committer | Richard W.M. Jones <rjones@redhat.com> | 2012-05-28 17:55:07 +0100 |
| commit | bcbb6bb760d45b3a640c5e0c9d0e0cf64c2cf0f2 (patch) | |
| tree | 3350b9970cd90c368fe7affb57f053b63dd6b907 /daemon | |
| parent | a7868dd3c940b6cee0894e6033ba611f01a423dd (diff) | |
| download | libguestfs-bcbb6bb760d45b3a640c5e0c9d0e0cf64c2cf0f2.tar.gz libguestfs-bcbb6bb760d45b3a640c5e0c9d0e0cf64c2cf0f2.tar.xz libguestfs-bcbb6bb760d45b3a640c5e0c9d0e0cf64c2cf0f2.zip | |
xattr: Refuse to set or get oversized extended attributes.
See:
https://www.redhat.com/archives/libguestfs/2012-May/msg00152.html
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/xattr.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/daemon/xattr.c b/daemon/xattr.c index ca1b722d..71033071 100644 --- a/daemon/xattr.c +++ b/daemon/xattr.c @@ -19,6 +19,7 @@ #include <config.h> #include <stdio.h> +#include <limits.h> #include <unistd.h> #include "guestfs_protocol.h" @@ -174,6 +175,12 @@ getxattrs (const char *path, goto error; } + if (vlen > XATTR_SIZE_MAX) { + /* The next call to getxattr will fail anyway, so ... */ + reply_with_error ("extended attribute is too large"); + goto error; + } + r->guestfs_int_xattr_list_val[j].attrname = strdup (&buf[i]); r->guestfs_int_xattr_list_val[j].attrval.attrval_val = malloc (vlen); r->guestfs_int_xattr_list_val[j].attrval.attrval_len = vlen; @@ -222,6 +229,11 @@ _setxattr (const char *xattr, const char *val, int vallen, const char *path, { int r; + if (vallen > XATTR_SIZE_MAX) { + reply_with_error ("extended attribute is too large"); + return -1; + } + CHROOT_IN; r = setxattr (path, xattr, val, vallen, 0); CHROOT_OUT; @@ -372,6 +384,11 @@ do_lxattrlist (const char *path, char *const *names) goto error; } + if (vlen > XATTR_SIZE_MAX) { + reply_with_error ("extended attribute is too large"); + goto error; + } + entry[j+1].attrname = strdup (&buf[i]); entry[j+1].attrval.attrval_val = malloc (vlen); entry[j+1].attrval.attrval_len = vlen; @@ -442,6 +459,12 @@ do_getxattr (const char *path, const char *name, size_t *size_r) } len = r; + + if (len > XATTR_SIZE_MAX) { + reply_with_error ("extended attribute is too large"); + return NULL; + } + buf = malloc (len); if (buf == NULL) { reply_with_perror ("malloc"); @@ -484,6 +507,12 @@ do_lgetxattr (const char *path, const char *name, size_t *size_r) } len = r; + + if (len > XATTR_SIZE_MAX) { + reply_with_error ("extended attribute is too large"); + return NULL; + } + buf = malloc (len); if (buf == NULL) { reply_with_perror ("malloc"); |