head 1.2; access; symbols pkgsrc-2021Q1:1.1.0.4 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.2 pkgsrc-2020Q4-base:1.1; locks; strict; comment @# @; 1.2 date 2021.03.30.06.59.03; author bouyer; state dead; branches; next 1.1; commitid 0qeTE1RWBrm5HiNC; 1.1 date 2020.12.16.17.17.08; author bouyer; state Exp; branches; next ; commitid Hgq1bR1zGxUEtZzC; desc @@ 1.2 log @Update xentools413 and xentools413 to 4.13.3. Changes since 4.13.2: inlcude security fixes for all XSA known to date (up to XSA-369). Other minor bug fixes. @ text @$NetBSD: patch-XSA324,v 1.1 2020/12/16 17:17:08 bouyer Exp $ From: Juergen Gross Subject: tools/xenstore: drop watch event messages exceeding maximum size By setting a watch with a very large tag it is possible to trick xenstored to send watch event messages exceeding the maximum allowed payload size. This might in turn lead to a crash of xenstored as the resulting error can cause dereferencing a NULL pointer in case there is no active request being handled by the guest the watch event is being sent to. Fix that by just dropping such watch events. Additionally modify the error handling to test the pointer to be not NULL before dereferencing it. This is XSA-324. Signed-off-by: Juergen Gross Acked-by: Julien Grall diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c index 33f95dcf3c..3d74dbbb40 100644 --- tools/xenstore/xenstored_core.c.orig +++ tools/xenstore/xenstored_core.c @@@@ -674,6 +674,9 @@@@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type, /* Replies reuse the request buffer, events need a new one. */ if (type != XS_WATCH_EVENT) { bdata = conn->in; + /* Drop asynchronous responses, e.g. errors for watch events. */ + if (!bdata) + return; bdata->inhdr = true; bdata->used = 0; conn->in = NULL; diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c index 71c108ea99..9ff20690c0 100644 --- tools/xenstore/xenstored_watch.c.orig +++ tools/xenstore/xenstored_watch.c @@@@ -92,6 +92,10 @@@@ static void add_event(struct connection *conn, } len = strlen(name) + 1 + strlen(watch->token) + 1; + /* Don't try to send over-long events. */ + if (len > XENSTORE_PAYLOAD_MAX) + return; + data = talloc_array(ctx, char, len); if (!data) return; @ 1.1 log @Add upstream patches for a bunch of Xen security avisories, related to xenstore permissions. @ text @d1 1 a1 1 $NetBSD: $ @