From: "Daniel P. Berrange" <berra...@redhat.com>
The use of <> is a security issue for RPC parameters, since a
malicious client can set a huge array length causing arbitrary
memory allocation in the daemon.
It is also a robustness issue for RPC return values, because if
the stream is corrupted, it can cause the client to also allocate
arbitrary memory.
Use a syntax-check rule to prohibit any use of <>
Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
---
cfg.mk | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/cfg.mk b/cfg.mk
index 23564f1..9a9616c 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -836,6 +836,12 @@ sc_prohibit_config_h_in_headers:
halt='headers should not include <config.h>' \
$(_sc_search_regexp)
+sc_prohibit_unbounded_arrays_in_rpc:
+ @prohibit='<>' \
+ in_vc_files='\.x$$' \
+ halt='Arrays in XDR must have a upper limit set for <NNN>' \
+ $(_sc_search_regexp)
+
# We don't use this feature of maint.mk.
prev_version_file = /dev/null
--
1.8.3.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
