X-Git-Url: https://libvirt.org/git/?p=libvirt.git;a=blobdiff_plain;f=src%2Fqemu%2Fqemu_agent.c;h=89183c3f762617c7cb925f8bde013be4ad48a04d;hp=0f36054a6160e24fe26e7e0138194afc6c14d071;hb=fbf31e1a4cd19d6f6e33e0937a009775cd7d9513;hpb=2499d1a095088b49e481e26e50b15c0a5573cbd4 diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c index 0f36054..89183c3 100644 --- a/src/qemu/qemu_agent.c +++ b/src/qemu/qemu_agent.c @@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent"); #define DEBUG_IO 0 #define DEBUG_RAW_IO 0 +/* We read from QEMU until seeing a \r\n pair to indicate a + * completed reply or event. To avoid memory denial-of-service + * though, we must have a size limit on amount of data we + * buffer. 10 MB is large enough that it ought to cope with + * normal QEMU replies, and small enough that we're not + * consuming unreasonable mem. + */ +#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024) + /* When you are the first to uncomment this, * don't forget to uncomment the corresponding * part in qemuAgentIOProcessEvent as well. @@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon) int ret = 0; if (avail < 1024) { + if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) { + virReportSystemError(ERANGE, + _("No complete agent response found in %d bytes"), + QEMU_AGENT_MAX_RESPONSE); + return -1; + } if (VIR_REALLOC_N(mon->buffer, mon->bufferLength + 1024) < 0) return -1;