File 0002-CVE-2020-25652-vdagentd-Limit-number-of-agents-per-session-to-1.patch of Package spice-vdagent.20484

Subject: vdagentd: Limit number of agents per session to 1
From: Frediano Ziglio freddy77@gmail.com Thu Sep 24 12:13:44 2020 +0100
Date: Thu Oct 29 14:59:18 2020 +0000:
Git: 812ca777469a377c84b9861d7d326bfc72563304

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>

Index: spice-vdagent-0.17.0/src/vdagentd.c
===================================================================
--- spice-vdagent-0.17.0.orig/src/vdagentd.c
+++ spice-vdagent-0.17.0/src/vdagentd.c
@@ -851,6 +851,20 @@ static gboolean check_uid_of_pid(pid_t p
     return TRUE;
 }
 
+/* Check if this connection matches the passed session */
+static int connection_matches_session(struct udscs_connection **connp, void *priv)
+{
+    const char *session = priv;
+    struct agent_data *agent_data = udscs_get_user_data(*connp);
+
+    if (!agent_data || !agent_data->session ||
+        strcmp(agent_data->session, session) != 0) {
+        return 0;
+    }
+
+    return 1;
+}
+
 static void agent_connect(struct udscs_connection *conn)
 {
     struct agent_data *agent_data;
@@ -884,6 +898,15 @@ static void agent_connect(struct udscs_c
             udscs_destroy_connection(&conn);
             return;
         }
+
+        // Check there are no other connection for this session
+        // Note that "conn" is not counted as "agent_data" is still not attached to it
+        if (udscs_server_for_all_clients(server, connection_matches_session,
+                                         agent_data->session) > 0) {
+            syslog(LOG_ERR, "An agent is already connected for this session");
+            udscs_destroy_connection(&conn);
+            return;
+        }
     }
 
     udscs_set_user_data(conn, (void *)agent_data);