From: Juergen Gross Subject: tools/xenstore: drop watch event messages exceeding maximum size By setting a watch with a very large tag it is possible to trick xenstored to send watch event messages exceeding the maximum allowed payload size. This might in turn lead to a crash of xenstored as the resulting error can cause dereferencing a NULL pointer in case there is no active request being handled by the guest the watch event is being sent to. Fix that by just dropping such watch events. Additionally modify the error handling to test the pointer to be not NULL before dereferencing it. This is XSA-324. Signed-off-by: Juergen Gross Acked-by: Julien Grall diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c index 33f95dcf3c..3d74dbbb40 100644 --- a/tools/xenstore/xenstored_core.c +++ b/tools/xenstore/xenstored_core.c @@ -674,6 +674,9 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type, /* Replies reuse the request buffer, events need a new one. */ if (type != XS_WATCH_EVENT) { bdata = conn->in; + /* Drop asynchronous responses, e.g. errors for watch events. */ + if (!bdata) + return; bdata->inhdr = true; bdata->used = 0; conn->in = NULL; diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c index 71c108ea99..9ff20690c0 100644 --- a/tools/xenstore/xenstored_watch.c +++ b/tools/xenstore/xenstored_watch.c @@ -92,6 +92,10 @@ static void add_event(struct connection *conn, } len = strlen(name) + 1 + strlen(watch->token) + 1; + /* Don't try to send over-long events. */ + if (len > XENSTORE_PAYLOAD_MAX) + return; + data = talloc_array(ctx, char, len); if (!data) return;