[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] xenstat: Fix buffer over-run with new_domains being negative.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Mon, 16 Sep 2013 20:56:48 +0000
Delivery-date: Mon, 16 Sep 2013 20:56:55 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 1438d36f96e90d1116bebc6b3013634ca21c49c8
Author:     Konrad Rzeszutek Wilk <konrad@xxxxxxxxxx>
AuthorDate: Tue Sep 10 11:08:30 2013 -0400
Commit:     Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Fri Sep 13 13:12:29 2013 +0100

    xenstat: Fix buffer over-run with new_domains being negative.
    
    Coverity identified this as:
    CID 1055740 Out-of-bounds read - "In xenstat_get_node:
    Out-of-bounds read from a buffer (CWE-125)"
    
    And sure enough, if xc_domain_getinfolist returns us -1, we will
    try to use it later on in the for (i = 0; i < new_domains; ..)
    loop.
    
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 tools/xenstat/libxenstat/src/xenstat.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/tools/xenstat/libxenstat/src/xenstat.c 
b/tools/xenstat/libxenstat/src/xenstat.c
index 104655d..e5facb8 100644
--- a/tools/xenstat/libxenstat/src/xenstat.c
+++ b/tools/xenstat/libxenstat/src/xenstat.c
@@ -208,15 +208,15 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, 
unsigned int flags)
                                                    node->num_domains, 
                                                    DOMAIN_CHUNK_SIZE, 
                                                    domaininfo);
+               if (new_domains < 0)
+                       goto err;
 
                tmp = realloc(node->domains,
                              (node->num_domains + new_domains)
                              * sizeof(xenstat_domain));
-               if (tmp == NULL) {
-                       free(node->domains);
-                       free(node);
-                       return NULL;
-               }
+               if (tmp == NULL)
+                       goto err;
+
                node->domains = tmp;
 
                domain = node->domains + node->num_domains;
@@ -280,6 +280,10 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, 
unsigned int flags)
        }
 
        return node;
+err:
+       free(node->domains);
+       free(node);
+       return NULL;
 }
 
 void xenstat_free_node(xenstat_node * node)
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen master] tools/misc: introduce xen-mfndump.
Next by Date: [Xen-changelog] [xen master] libxl: fix libxl__device_disk_from_xs_be to parse backend domid
Previous by thread: [Xen-changelog] [xen master] tools/misc: introduce xen-mfndump.
Next by thread: [Xen-changelog] [xen master] libxl: fix libxl__device_disk_from_xs_be to parse backend domid
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.