File 0002-CVE-2020-25650-Avoids-uncontrolled-active_xfers-allocations.patch of Package spice-vdagent.20484

Subject: Avoids uncontrolled "active_xfers" allocations
From: Frediano Ziglio freddy77@gmail.com Fri Oct 2 12:27:59 2020 +0100
Date: Thu Oct 29 14:59:18 2020 +0000:
Git: 9d35d8a86fb310fc1f29d428c0a96995948d2357

Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>

Index: spice-vdagent-0.17.0/src/vdagentd.c
===================================================================
--- spice-vdagent-0.17.0.orig/src/vdagentd.c
+++ spice-vdagent-0.17.0/src/vdagentd.c
@@ -44,6 +44,14 @@
 #include "vdagent-virtio-port.h"
 #include "session-info.h"
 
+// Maximum number of transfers active at any time.
+// Avoid DoS from client.
+// As each transfer could likely end up taking a file descriptor
+// it is good to have a limit less than the number of file descriptors
+// in the process (by default 1024). The daemon do not open file
+// descriptors for the transfers but the agents do.
+#define MAX_ACTIVE_TRANSFERS 128
+
 struct agent_data {
     char *session;
     int width;
@@ -340,6 +348,12 @@ static void do_client_file_xfer(struct v
                "Cancelling client file-xfer request %u",
                s->id, VD_AGENT_FILE_XFER_STATUS_ERROR);
             return;
+        } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
+            send_file_xfer_status(vport,
+               "Too many transfers ongoing. "
+               "Cancelling client file-xfer request %u",
+               s->id, VD_AGENT_FILE_XFER_STATUS_ERROR);
+            return;
         }
         msg_type = VDAGENTD_FILE_XFER_START;
         id = s->id;