On 03/07/2018 05:52 AM, Daniel P. Berrangé wrote:
On Wed, Mar 07, 2018 at 11:59:56AM +0100, Juan Quintela wrote:
Signed-off-by: Juan Quintela <quint...@redhat.com>
---
  migration/socket.c | 6 ++----
  1 file changed, 2 insertions(+), 4 deletions(-)


Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>


It will only return NULL if a client connected & then went away. This should
not happen with a "normal" mgmt app usage. On the flip side this allows a
malicious network attacker to inflict a denial of service on the migration
by simply connecting to target QEMU & immediately exiting.

Our "authentication" for migration relies on being able to validate the TLS
certs during TLS handshake. So in general we ought to allow repeated incoming
connections until we get a successful handshake.

Indeed, our NBD code had some CVE fixes last year where a rogue 'nc' process could cause denial of service by connecting and hanging up immediately, until we fixed it to retry until the first client that actually got past the handshake. We don't need to repeat CVEs like that.


So in fact, I think a better fix here is to simply remove the original
'error_report' line, and ensure we return G_SOURCE_CONTINUE to wait for
another incoming connection from the real mgmt app.


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Reply via email to