|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] tools/xenstored: fix canonicalize() error testing
commit 4c61822b04aac089d1df9ab15ae3a3f6dfb4e305
Author: Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Thu Feb 12 08:29:38 2026 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 17 12:08:07 2026 +0000
tools/xenstored: fix canonicalize() error testing
The setting of errno in canonicalize() is rather fragile and seems to
be even wrong in one corner case: when the invalid path "/local/domain/"
is passed, sscanf() will set errno to 0, resulting in canonicalize() to
return NULL with errno being 0. This can result in triggering the
assert(conn->in == NULL) in consider_message().
Don't assume the initial setting of errno to "EINVAL" will stay valid
in all cases and set it to EINVAL only when returning NULL due to an
invalid path.
This is XSA-481/CVE-2026-23555
Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Reviewed-by: Julien Grall <julien@xxxxxxx>
---
tools/xenstored/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c
index d509736c32..e4d2fd4876 100644
--- a/tools/xenstored/core.c
+++ b/tools/xenstored/core.c
@@ -1240,11 +1240,10 @@ const char *canonicalize(struct connection *conn, const
void *ctx,
* - illegal character in node
* - starts with '@' but no special node allowed
*/
- errno = EINVAL;
if (!node ||
!valid_chars(node) ||
(node[0] == '@' && !allow_special))
- return NULL;
+ goto inval;
if (node[0] != '/' && node[0] != '@') {
name = talloc_asprintf(ctx, "%s/%s", get_implicit_path(conn),
@@ -1272,6 +1271,8 @@ const char *canonicalize(struct connection *conn, const
void *ctx,
if (name != node)
talloc_free(name);
+ inval:
+ errno = EINVAL;
return NULL;
}
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |