[Spice-devel] [PATCH spice-server 4/4] spicevmc: Avoids DoS if guest device is not able to get data faster enough

Victor Toso victortoso at redhat.com
Tue Sep 24 12:25:45 UTC 2019 

Hi,

On Mon, Jun 17, 2019 at 04:40:11PM +0100, Frediano Ziglio wrote:
> This fix half (one direction) of
> https://gitlab.freedesktop.org/spice/spice/issues/29.
> Specifically if you have attempt to transfer a file from the client
> using WebDAV.
> Previously the queue to the device was unbound. If device was not
> getting data fast enough the server started queuing data.
> To easily test this you can suspend the WebDAV daemon while transferring
> a big file from the client.
> To simplify the code and reduce the changes server buffers are
> used. This as client token implementation is written with agent
> in mind. While when we exhaust server tokens RedCharDevice doesn't
> close the client when we exhaust client tokens RedCharDevice closes
> the client which in this case it's not wanted.
> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

Tested a bit with Fedora guest + shared folder, looks fine. For
the series,
Acked-by: Victor Toso <victortoso at redhat.com>

> ---
>  server/spicevmc.c | 26 +++++++++++++++++---------
>  1 file changed, 17 insertions(+), 9 deletions(-)
> 
> diff --git a/server/spicevmc.c b/server/spicevmc.c
> index 02e90199c..1209e7155 100644
> --- a/server/spicevmc.c
> +++ b/server/spicevmc.c
> @@ -491,9 +491,9 @@ static bool handle_compressed_msg(RedVmcChannel *channel, RedChannelClient *rcc,
>      int decompressed_size;
>      RedCharDeviceWriteBuffer *write_buf;
>  
> -    write_buf = red_char_device_write_buffer_get_client(channel->chardev,
> -                                                        red_channel_client_get_client(rcc),
> -                                                        compressed_data_msg->uncompressed_size);
> +    write_buf = red_char_device_write_buffer_get_server(channel->chardev,
> +                                                        compressed_data_msg->uncompressed_size,
> +                                                        false);
>      if (!write_buf) {
>          return FALSE;
>      }
> @@ -565,6 +565,15 @@ static bool spicevmc_red_channel_client_handle_message(RedChannelClient *rcc,
>      return TRUE;
>  }
>  
> +/* if device manage to send some data attempt to unblock the channel */
> +static void spicevmc_on_free_self_token(RedCharDevice *self)
> +{
> +    RedCharDeviceSpiceVmc *vmc = RED_CHAR_DEVICE_SPICEVMC(self);
> +    RedVmcChannel *channel = RED_VMC_CHANNEL(vmc->channel);
> +
> +    red_channel_client_unblock_read(channel->rcc);
> +}
> +
>  static uint8_t *spicevmc_red_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
>                                                         uint16_t type,
>                                                         uint32_t size)
> @@ -572,16 +581,14 @@ static uint8_t *spicevmc_red_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
>  
>      switch (type) {
>      case SPICE_MSGC_SPICEVMC_DATA: {
> -        RedClient *client = red_channel_client_get_client(rcc);
>          RedVmcChannel *channel = RED_VMC_CHANNEL(red_channel_client_get_channel(rcc));
>  
>          assert(!channel->recv_from_client_buf);
>  
> -        channel->recv_from_client_buf = red_char_device_write_buffer_get_client(channel->chardev,
> -                                                                                client,
> -                                                                                size);
> +        channel->recv_from_client_buf = red_char_device_write_buffer_get_server(channel->chardev,
> +                                                                                size, true);
>          if (!channel->recv_from_client_buf) {
> -            spice_error("failed to allocate write buffer");
> +            red_channel_client_block_read(rcc);
>              return NULL;
>          }
>          return channel->recv_from_client_buf->buf;
> @@ -908,6 +915,7 @@ red_char_device_spicevmc_class_init(RedCharDeviceSpiceVmcClass *klass)
>      char_dev_class->send_msg_to_client = spicevmc_chardev_send_msg_to_client;
>      char_dev_class->remove_client = spicevmc_char_dev_remove_client;
>      char_dev_class->port_event = spicevmc_port_event;
> +    char_dev_class->on_free_self_token = spicevmc_on_free_self_token;
>  
>      g_object_class_install_property(object_class,
>                                      PROP_CHANNEL,
> @@ -934,7 +942,7 @@ red_char_device_spicevmc_new(SpiceCharDeviceInstance *sin,
>                          "sin", sin,
>                          "spice-server", reds,
>                          "client-tokens-interval", 0ULL,
> -                        "self-tokens", ~0ULL,
> +                        "self-tokens", 128, // limit number of messages sent to device
>                          "channel", channel,
>                          NULL);
>  }
> -- 
> 2.20.1
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20190924/d96f93e7/attachment.sig>

More information about the Spice-devel mailing list