debuggers.hg
changeset 16646:95bb6485d29d
xenstore size limits
* Documents the existing 4kby size limit on xenstore message payloads
* Causes xs.c in libxenstore to fail locally rather than violating
said limit (which is good because xenstored kills the client
connection if it's exceeded).
* Introduces some limits on path lengths in xenstored. I trust
no-one is using path lengths >2kby. This is good because currently
a domain client can create a 4kby relative path that the dom0 tools
cannot access since they'd have to specify the somewhat longer
absolute path.
* Removes uses of the host's PATH_MAX (!)
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
* Documents the existing 4kby size limit on xenstore message payloads
* Causes xs.c in libxenstore to fail locally rather than violating
said limit (which is good because xenstored kills the client
connection if it's exceeded).
* Introduces some limits on path lengths in xenstored. I trust
no-one is using path lengths >2kby. This is good because currently
a domain client can create a 4kby relative path that the dom0 tools
cannot access since they'd have to specify the somewhat longer
absolute path.
* Removes uses of the host's PATH_MAX (!)
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Fri Dec 14 10:15:00 2007 +0000 (2007-12-14) |
| parents | a4fadcab5cb0 |
| children | 1f8797a74743 |
| files | docs/misc/xenstore.txt tools/xenstore/xenstored_core.c tools/xenstore/xenstored_watch.c tools/xenstore/xs.c tools/xenstore/xsls.c xen/include/public/io/xs_wire.h |
line diff
1.1 --- a/docs/misc/xenstore.txt Fri Dec 14 10:12:15 2007 +0000 1.2 +++ b/docs/misc/xenstore.txt Fri Dec 14 10:15:00 2007 +0000 1.3 @@ -38,7 +38,9 @@ The permitted character for paths set is 1.4 the four punctuation characters -/_@ (hyphen slash underscore atsign). 1.5 @ should be avoided except to specify special watches (see below). 1.6 Doubled slashes and trailing slashes (except to specify the root) are 1.7 -forbidden. The empty path is also forbidden. 1.8 +forbidden. The empty path is also forbidden. Paths longer than 3072 1.9 +bytes are forbidden; clients specifying relative paths should keep 1.10 +them to within 2048 bytes. (See XENSTORE_*_PATH_MAX in xs_wire.h.) 1.11 1.12 1.13 Communication with xenstore is via either sockets, or event channel 1.14 @@ -56,6 +58,20 @@ order and must use req_id (and tx_id, if 1.15 replies to requests. (The current implementation always replies to 1.16 requests in the order received but this should not be relied on.) 1.17 1.18 +The payload length (len field of the header) is limited to 4096 1.19 +(XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the 1.20 +limit, its xenstored connection will be immediately killed by 1.21 +xenstored, which is usually catastrophic from the client's point of 1.22 +view. Clients (particularly domains, which cannot just reconnect) 1.23 +should avoid this. 1.24 + 1.25 +Existing clients do not always contain defences against overly long 1.26 +payloads. Increasing xenstored's limit is therefore difficult; it 1.27 +would require negotiation with the client, and obviously would make 1.28 +parts of xenstore inaccessible to some clients. In any case passing 1.29 +bulk data through xenstore is not recommended as the performance 1.30 +properties are poor. 1.31 + 1.32 1.33 ---------- Xenstore protocol details - introduction ---------- 1.34
2.1 --- a/tools/xenstore/xenstored_core.c Fri Dec 14 10:12:15 2007 +0000 2.2 +++ b/tools/xenstore/xenstored_core.c Fri Dec 14 10:15:00 2007 +0000 2.3 @@ -672,6 +672,9 @@ bool is_valid_nodename(const char *node) 2.4 if (strstr(node, "//")) 2.5 return false; 2.6 2.7 + if (strlen(node) > XENSTORE_ABS_PATH_MAX) 2.8 + return false; 2.9 + 2.10 return valid_chars(node); 2.11 } 2.12 2.13 @@ -1281,7 +1284,7 @@ static void handle_input(struct connecti 2.14 if (in->used != sizeof(in->hdr)) 2.15 return; 2.16 2.17 - if (in->hdr.msg.len > PATH_MAX) { 2.18 + if (in->hdr.msg.len > XENSTORE_PAYLOAD_MAX) { 2.19 syslog(LOG_ERR, "Client tried to feed us %i", 2.20 in->hdr.msg.len); 2.21 goto bad_client;
3.1 --- a/tools/xenstore/xenstored_watch.c Fri Dec 14 10:12:15 2007 +0000 3.2 +++ b/tools/xenstore/xenstored_watch.c Fri Dec 14 10:15:00 2007 +0000 3.3 @@ -125,6 +125,10 @@ void do_watch(struct connection *conn, s 3.4 3.5 if (strstarts(vec[0], "@")) { 3.6 relative = false; 3.7 + if (strlen(vec[0]) > XENSTORE_REL_PATH_MAX) { 3.8 + send_error(conn, EINVAL); 3.9 + return; 3.10 + } 3.11 /* check if valid event */ 3.12 } else { 3.13 relative = !strstarts(vec[0], "/");
4.1 --- a/tools/xenstore/xs.c Fri Dec 14 10:12:15 2007 +0000 4.2 +++ b/tools/xenstore/xs.c Fri Dec 14 10:15:00 2007 +0000 4.3 @@ -319,6 +319,11 @@ static void *xs_talkv(struct xs_handle * 4.4 for (i = 0; i < num_vecs; i++) 4.5 msg.len += iovec[i].iov_len; 4.6 4.7 + if (msg.len > XENSTORE_PAYLOAD_MAX) { 4.8 + errno = E2BIG; 4.9 + return 0; 4.10 + } 4.11 + 4.12 ignorepipe.sa_handler = SIG_IGN; 4.13 sigemptyset(&ignorepipe.sa_mask); 4.14 ignorepipe.sa_flags = 0;
5.1 --- a/tools/xenstore/xsls.c Fri Dec 14 10:12:15 2007 +0000 5.2 +++ b/tools/xenstore/xsls.c Fri Dec 14 10:15:00 2007 +0000 5.3 @@ -8,7 +8,7 @@ 5.4 #include <sys/ioctl.h> 5.5 #include <termios.h> 5.6 5.7 -#define STRING_MAX PATH_MAX 5.8 +#define STRING_MAX XENSTORE_ABS_PATH_MAX+1024 5.9 static int max_width = 80; 5.10 static int desired_width = 60; 5.11 static int show_whole_path = 0;
6.1 --- a/xen/include/public/io/xs_wire.h Fri Dec 14 10:12:15 2007 +0000 6.2 +++ b/xen/include/public/io/xs_wire.h Fri Dec 14 10:15:00 2007 +0000 6.3 @@ -108,6 +108,13 @@ struct xenstore_domain_interface { 6.4 XENSTORE_RING_IDX rsp_cons, rsp_prod; 6.5 }; 6.6 6.7 +/* Violating this is very bad. See docs/misc/xenstore.txt. */ 6.8 +#define XENSTORE_PAYLOAD_MAX 4096 6.9 + 6.10 +/* Violating these just gets you an error back */ 6.11 +#define XENSTORE_ABS_PATH_MAX 3072 6.12 +#define XENSTORE_REL_PATH_MAX 2048 6.13 + 6.14 #endif /* _XS_WIRE_H */ 6.15 6.16 /*