[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] [patch 9/9] Implement better error reporting



On Fri, 2007-02-16 at 19:28 +0000, Daniel P. Berrange wrote:
> On Fri, Feb 16, 2007 at 02:44:57PM +0000, Mark McLoughlin wrote:

> > @@ -1226,6 +1332,7 @@ static int qemudDispatchPoll(struct qemu
> >  
> >      while (sock) {
> >          struct qemud_socket *next = sock->next;
> > +        /* FIXME: the daemon shouldn't exit on error here */
> >          if (fds[fd].revents)
> >              if (qemudDispatchServer(server, sock) < 0)
> >                  return -1;
> 
> Yes & no. There are two reasons why qemuDispatchServer can fail. Either
> it can fail to set  CLOSEXEC/NONBLOCK mode on the client socket, in
> which case we could simply drop the client & continue without exiting.
> If the accept() call fails for anything other than EAGAIN/EINTR then
> we arguably should exit, because something serious has gone wrong.

	Doesn't accept() fail if the client fails to send the final ACK? Do we
want the daemon to die in that case? Think of an unprivileged user
connecting to the system daemon's readonly socket ... you really want to
be paranoid about the daemon exiting as it creates the opportunity for
unprivileged users to take down guests and networks.

	i.e. I'm not sure whether it would be actually possible to exploit it
in this way, but I'd tend to be pretty paranoid about any exit point
from the daemon.

Cheers,
Mark.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]