[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 07/10] vnc: track & limit connections
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PULL 07/10] vnc: track & limit connections |
Date: |
Fri, 19 Dec 2014 10:04:23 +0100 |
Also track the number of connections in "connecting" and "shared" state
(in addition to the "exclusive" state). Apply a configurable limit to
these connections.
The logic to apply the limit to connections in "shared" state is pretty
simple: When the limit is reached no new connections are allowed.
The logic to apply the limit to connections in "connecting" state (this
is the state you are in *before* successful authentication) is
slightly different: A new connect kicks out the oldest client which is
still in "connecting" state. This avoids a easy DoS by unauthenticated
users by simply opening connections until the limit is reached.
Cc: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
ui/vnc.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
ui/vnc.h | 3 +++
2 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index dd09fc1..2ed16dc 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -68,12 +68,34 @@ static void vnc_set_share_mode(VncState *vs, VncShareMode
mode)
vs->csock, mn[vs->share_mode], mn[mode]);
#endif
- if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
+ switch (vs->share_mode) {
+ case VNC_SHARE_MODE_CONNECTING:
+ vs->vd->num_connecting--;
+ break;
+ case VNC_SHARE_MODE_SHARED:
+ vs->vd->num_shared--;
+ break;
+ case VNC_SHARE_MODE_EXCLUSIVE:
vs->vd->num_exclusive--;
+ break;
+ default:
+ break;
}
+
vs->share_mode = mode;
- if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
+
+ switch (vs->share_mode) {
+ case VNC_SHARE_MODE_CONNECTING:
+ vs->vd->num_connecting++;
+ break;
+ case VNC_SHARE_MODE_SHARED:
+ vs->vd->num_shared++;
+ break;
+ case VNC_SHARE_MODE_EXCLUSIVE:
vs->vd->num_exclusive++;
+ break;
+ default:
+ break;
}
}
@@ -2337,6 +2359,11 @@ static int protocol_client_init(VncState *vs, uint8_t
*data, size_t len)
}
vnc_set_share_mode(vs, mode);
+ if (vs->vd->num_shared > vs->vd->connections_limit) {
+ vnc_disconnect_start(vs);
+ return 0;
+ }
+
vs->client_width = pixman_image_get_width(vs->vd->server);
vs->client_height = pixman_image_get_height(vs->vd->server);
vnc_write_u16(vs, vs->client_width);
@@ -2889,6 +2916,15 @@ static void vnc_connect(VncDisplay *vd, int csock,
{
vnc_init_state(vs);
}
+
+ if (vd->num_connecting > vd->connections_limit) {
+ QTAILQ_FOREACH(vs, &vd->clients, next) {
+ if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
+ vnc_disconnect_start(vs);
+ return;
+ }
+ }
+ }
}
void vnc_init_state(VncState *vs)
@@ -2907,7 +2943,7 @@ void vnc_init_state(VncState *vs)
qemu_mutex_init(&vs->output_mutex);
vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
- QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
+ QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
graphic_hw_update(vd->dcl.con);
@@ -3097,6 +3133,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "head",
.type = QEMU_OPT_NUMBER,
},{
+ .name = "connections",
+ .type = QEMU_OPT_NUMBER,
+ },{
.name = "password",
.type = QEMU_OPT_BOOL,
},{
@@ -3210,6 +3249,7 @@ void vnc_display_open(const char *id, Error **errp)
} else {
vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
}
+ vs->connections_limit = qemu_opt_get_number(opts, "connections", 32);
#ifdef CONFIG_VNC_WS
websocket = qemu_opt_get(opts, "websocket");
diff --git a/ui/vnc.h b/ui/vnc.h
index 6fe8278..5e2b1a5 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -150,7 +150,10 @@ typedef enum VncSharePolicy {
struct VncDisplay
{
QTAILQ_HEAD(, VncState) clients;
+ int num_connecting;
+ int num_shared;
int num_exclusive;
+ int connections_limit;
VncSharePolicy share_policy;
int lsock;
#ifdef CONFIG_VNC_WS
--
1.8.3.1
- [Qemu-devel] [PULL 00/10] vnc: add support for multiple vnc displays, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 02/10] vnc: remove unused DisplayState parameter, add id instead., Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 06/10] vnc: update docs/multiseat.txt, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 04/10] vnc: switch to QemuOpts, allow multiple servers, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 09/10] monitor: add query-vnc2 command, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 10/10] monitor: add vnc websockets, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 03/10] vnc: add display id to acl names, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 05/10] vnc: allow binding servers to qemu consoles, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 07/10] vnc: track & limit connections,
Gerd Hoffmann <=
- [Qemu-devel] [PULL 08/10] vnc: factor out qmp_query_client_list, Gerd Hoffmann, 2014/12/19
- [Qemu-devel] [PULL 01/10] vnc: remove vnc_display global, Gerd Hoffmann, 2014/12/19
- Re: [Qemu-devel] [PULL 00/10] vnc: add support for multiple vnc displays, Markus Armbruster, 2014/12/19