X-Git-Url: https://libvirt.org/git/?p=libvirt.git;a=blobdiff_plain;f=src%2Fqemu%2Fqemu_agent.c;h=89183c3f762617c7cb925f8bde013be4ad48a04d;hp=0f36054a6160e24fe26e7e0138194afc6c14d071;hb=fbf31e1a4cd19d6f6e33e0937a009775cd7d9513;hpb=2499d1a095088b49e481e26e50b15c0a5573cbd4
diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
index 0f36054..89183c3 100644
--- a/src/qemu/qemu_agent.c
+++ b/src/qemu/qemu_agent.c
@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");
#define DEBUG_IO 0
#define DEBUG_RAW_IO 0
+/* We read from QEMU until seeing a \r\n pair to indicate a
+ * completed reply or event. To avoid memory denial-of-service
+ * though, we must have a size limit on amount of data we
+ * buffer. 10 MB is large enough that it ought to cope with
+ * normal QEMU replies, and small enough that we're not
+ * consuming unreasonable mem.
+ */
+#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)
+
/* When you are the first to uncomment this,
* don't forget to uncomment the corresponding
* part in qemuAgentIOProcessEvent as well.
@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)
int ret = 0;
if (avail < 1024) {
+ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {
+ virReportSystemError(ERANGE,
+ _("No complete agent response found in %d bytes"),
+ QEMU_AGENT_MAX_RESPONSE);
+ return -1;
+ }
if (VIR_REALLOC_N(mon->buffer,
mon->bufferLength + 1024) < 0)
return -1;
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e7ab6703533e6ff5443c9172c4aa0927
>
files
>
7
