|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xenstored: fix use-after free bug
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1235919004 0
# Node ID 226031d62fc53d92df1aa7ba5565e887fa925318
# Parent edd7f612ebe0bb4e69159e76435b0b59caaa539d
xenstored: fix use-after free bug
Problem: Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example. It can also
zap *other* connections, due to domain release requests. Especially
it can zap the connection we have saved a pointer to in the "next"
variable.
From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
tools/xenstore/xenstored_core.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff -r edd7f612ebe0 -r 226031d62fc5 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c Sun Mar 01 14:35:57 2009 +0000
+++ b/tools/xenstore/xenstored_core.c Sun Mar 01 14:50:04 2009 +0000
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
handle_event();
next = list_entry(connections.next, typeof(*conn), list);
+ if (&next->list != &connections)
+ talloc_increase_ref_count(next);
while (&next->list != &connections) {
conn = next;
next = list_entry(conn->list.next,
typeof(*conn), list);
+ if (&next->list != &connections)
+ talloc_increase_ref_count(next);
if (conn->domain) {
- talloc_increase_ref_count(conn);
if (domain_can_read(conn))
handle_input(conn);
if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
if (talloc_free(conn) == 0)
continue;
} else {
- talloc_increase_ref_count(conn);
if (FD_ISSET(conn->fd, &inset))
handle_input(conn);
if (talloc_free(conn) == 0)
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |