[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] xenstored: fix use-after free bug



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1235919004 0
# Node ID 226031d62fc53d92df1aa7ba5565e887fa925318
# Parent  edd7f612ebe0bb4e69159e76435b0b59caaa539d
xenstored: fix use-after free bug

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
 tools/xenstore/xenstored_core.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -r edd7f612ebe0 -r 226031d62fc5 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c   Sun Mar 01 14:35:57 2009 +0000
+++ b/tools/xenstore/xenstored_core.c   Sun Mar 01 14:50:04 2009 +0000
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
                        handle_event();
 
                next = list_entry(connections.next, typeof(*conn), list);
+               if (&next->list != &connections)
+                       talloc_increase_ref_count(next);
                while (&next->list != &connections) {
                        conn = next;
 
                        next = list_entry(conn->list.next,
                                          typeof(*conn), list);
+                       if (&next->list != &connections)
+                               talloc_increase_ref_count(next);
 
                        if (conn->domain) {
-                               talloc_increase_ref_count(conn);
                                if (domain_can_read(conn))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
                                if (talloc_free(conn) == 0)
                                        continue;
                        } else {
-                               talloc_increase_ref_count(conn);
                                if (FD_ISSET(conn->fd, &inset))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.