[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [patch] fix xenstored


  • To: Xen Development Mailing List <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  • Date: Thu, 26 Feb 2009 20:40:27 +0100
  • Delivery-date: Thu, 26 Feb 2009 11:41:08 -0800
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

  Hi,

There is a use-after-free bug in xenstored.

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially it
can zap the connection we have saved a pointer to in the "next" variable.

The attached patch fixes it by adjusting the reference counting.

please apply,

  Gerd
diff -r 8417ddc981b4 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c   Mon Jan 05 11:10:54 2009 +0000
+++ b/tools/xenstore/xenstored_core.c   Thu Feb 26 18:22:31 2009 +0100
@@ -1937,14 +1937,17 @@
                        handle_event();
 
                next = list_entry(connections.next, typeof(*conn), list);
+               if (&next->list != &connections)
+                       talloc_increase_ref_count(next);
                while (&next->list != &connections) {
                        conn = next;
 
                        next = list_entry(conn->list.next,
                                          typeof(*conn), list);
+                       if (&next->list != &connections)
+                               talloc_increase_ref_count(next);
 
                        if (conn->domain) {
-                               talloc_increase_ref_count(conn);
                                if (domain_can_read(conn))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@
                                if (talloc_free(conn) == 0)
                                        continue;
                        } else {
-                               talloc_increase_ref_count(conn);
                                if (FD_ISSET(conn->fd, &inset))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.