RE: [PATCH v2 1/2] vhost: fix possible FDs leak

Mon, 06 Feb 2023 21:39:03 -0800 


> -----Original Message-----
> From: Maxime Coquelin <maxime.coque...@redhat.com>
> Sent: Saturday, January 28, 2023 12:56 AM
> To: dev@dpdk.org; david.march...@redhat.com; Xia, Chenbo
> <chenbo....@intel.com>
> Cc: Coquelin, Maxime <maxime.coque...@redhat.com>; sta...@dpdk.org
> Subject: [PATCH v2 1/2] vhost: fix possible FDs leak
> 
> On failure, read_vhost_message() only closed the message
> FDs if the header size was unexpected, but there are other
> cases where it is required. For exemple in the case the

example

With this fixed:

Reviewed-by: Chenbo Xia <chenbo....@intel.com> 

> payload size read from the header is greater than the
> expected maximum payload size.
> 
> This patch fixes this by closing all messages FDs in all
> error cases.
> 
> Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking
> FDs")
> Cc: sta...@dpdk.org
> 
> Signed-off-by: Maxime Coquelin <maxime.coque...@redhat.com>
> ---
>  lib/vhost/vhost_user.c | 23 +++++++++++++++--------
>  1 file changed, 15 insertions(+), 8 deletions(-)
> 
> diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
> index 9902ae9944..943058725e 100644
> --- a/lib/vhost/vhost_user.c
> +++ b/lib/vhost/vhost_user.c
> @@ -2817,29 +2817,36 @@ read_vhost_message(struct virtio_net *dev, int
> sockfd, struct  vhu_msg_context *
> 
>       ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg,
> VHOST_USER_HDR_SIZE,
>               ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num);
> -     if (ret <= 0) {
> -             return ret;
> -     } else if (ret != VHOST_USER_HDR_SIZE) {
> +     if (ret <= 0)
> +             goto out;
> +
> +     if (ret != VHOST_USER_HDR_SIZE) {
>               VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size
> read\n");
> -             close_msg_fds(ctx);
> -             return -1;
> +             ret = -1;
> +             goto out;
>       }
> 
>       if (ctx->msg.size) {
>               if (ctx->msg.size > sizeof(ctx->msg.payload)) {
>                       VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg
> size: %d\n",
>                               ctx->msg.size);
> -                     return -1;
> +                     ret = -1;
> +                     goto out;
>               }
>               ret = read(sockfd, &ctx->msg.payload, ctx->msg.size);
>               if (ret <= 0)
> -                     return ret;
> +                     goto out;
>               if (ret != (int)ctx->msg.size) {
>                       VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message
> failed\n");
> -                     return -1;
> +                     ret = -1;
> +                     goto out;
>               }
>       }
> 
> +out:
> +     if (ret <= 0)
> +             close_msg_fds(ctx);
> +
>       return ret;
>  }
> 
> --
> 2.39.1

Reply via email to