You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
1.6 KiB
51 lines
1.6 KiB
2 years ago
|
From 6e5b9924b172be4f33c7fc264a8ff1d6109b79fe Mon Sep 17 00:00:00 2001
|
||
|
From: Frediano Ziglio <freddy77@gmail.com>
|
||
|
Date: Sun, 20 Sep 2020 08:05:37 +0100
|
||
|
Subject: [PATCH vd_agent_linux 12/17] Avoids unlimited agent connections
|
||
|
|
||
|
Limit the number of agents that can be connected.
|
||
|
Avoids reaching the maximum number of files in a process.
|
||
|
Beside one file descriptor per agent the daemon open just some
|
||
|
other fixed number of files.
|
||
|
|
||
|
This issue was reported by SUSE security team.
|
||
|
|
||
|
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
||
|
---
|
||
|
src/udscs.c | 12 ++++++++++++
|
||
|
1 file changed, 12 insertions(+)
|
||
|
|
||
|
diff --git a/src/udscs.c b/src/udscs.c
|
||
|
index 7c99eed..3df67b3 100644
|
||
|
--- a/src/udscs.c
|
||
|
+++ b/src/udscs.c
|
||
|
@@ -30,6 +30,12 @@
|
||
|
#include "vdagentd-proto-strings.h"
|
||
|
#include "vdagent-connection.h"
|
||
|
|
||
|
+// Maximum number of connected agents.
|
||
|
+// Avoid DoS from agents.
|
||
|
+// As each connection end up taking a file descriptor is good to have a limit
|
||
|
+// less than the number of file descriptors in the process (by default 1024).
|
||
|
+#define MAX_CONNECTED_AGENTS 128
|
||
|
+
|
||
|
struct _UdscsConnection {
|
||
|
VDAgentConnection parent_instance;
|
||
|
int debug;
|
||
|
@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService *service,
|
||
|
struct udscs_server *server = user_data;
|
||
|
UdscsConnection *new_conn;
|
||
|
|
||
|
+ /* prevents DoS having too many agents attached */
|
||
|
+ if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) {
|
||
|
+ syslog(LOG_ERR, "Too many agents connected");
|
||
|
+ return TRUE;
|
||
|
+ }
|
||
|
+
|
||
|
new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL);
|
||
|
new_conn->debug = server->debug;
|
||
|
new_conn->read_callback = server->read_callback;
|
||
|
--
|
||
|
2.26.2
|
||
|
|