|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [patch] fix xenstored
Hi, There is a use-after-free bug in xenstored. Problem: Handling requests for one connection can not only zap the connection itself, due to socket disconnects for example. It can also zap *other* connections, due to domain release requests. Especially it can zap the connection we have saved a pointer to in the "next" variable. The attached patch fixes it by adjusting the reference counting. please apply, Gerd diff -r 8417ddc981b4 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c Mon Jan 05 11:10:54 2009 +0000
+++ b/tools/xenstore/xenstored_core.c Thu Feb 26 18:22:31 2009 +0100
@@ -1937,14 +1937,17 @@
handle_event();
next = list_entry(connections.next, typeof(*conn), list);
+ if (&next->list != &connections)
+ talloc_increase_ref_count(next);
while (&next->list != &connections) {
conn = next;
next = list_entry(conn->list.next,
typeof(*conn), list);
+ if (&next->list != &connections)
+ talloc_increase_ref_count(next);
if (conn->domain) {
- talloc_increase_ref_count(conn);
if (domain_can_read(conn))
handle_input(conn);
if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@
if (talloc_free(conn) == 0)
continue;
} else {
- talloc_increase_ref_count(conn);
if (FD_ISSET(conn->fd, &inset))
handle_input(conn);
if (talloc_free(conn) == 0)
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |