Add a pid controller size limit
Right now there is no limit, so someone could attack
the bmc by adding a very large number of controllers.
Create a limit so this isn't possible.
Tested: Add / Remove functionality still works
Change-Id: Ib408293431250d93b0af71616a1668f6a3d0904a
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/redfish-core/lib/managers.hpp b/redfish-core/lib/managers.hpp
index 623f8fe..b6d554f 100644
--- a/redfish-core/lib/managers.hpp
+++ b/redfish-core/lib/managers.hpp
@@ -1240,6 +1240,30 @@
messages::internalError(self->asyncResp->res);
return;
}
+ const std::array<const char*, 3> configurations = {
+ pidConfigurationIface, pidZoneConfigurationIface,
+ stepwiseConfigurationIface};
+
+ // erase the paths we don't care about
+ for (auto it = mObj.begin(); it != mObj.end();)
+ {
+ bool found = false;
+ for (const auto& [interface, _] : it->second)
+ {
+ if (std::find(configurations.begin(),
+ configurations.end(),
+ interface) != configurations.end())
+ {
+ found = true;
+ it++;
+ break;
+ }
+ }
+ if (!found)
+ {
+ it = mObj.erase(it);
+ }
+ }
self->managedObj = std::move(mObj);
},
"xyz.openbmc_project.EntityManager", "/", objectManagerIface,
@@ -1446,6 +1470,15 @@
}
BMCWEB_LOG_DEBUG << "Create new = " << createNewObject << "\n";
+
+ // arbitrary limit to avoid attacks
+ constexpr const size_t controllerLimit = 500;
+ if (createNewObject && managedObj.size() >= controllerLimit)
+ {
+ messages::resourceExhaustion(response->res, type);
+ continue;
+ }
+
output["Name"] = boost::replace_all_copy(name, "_", " ");
std::string chassis;