|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] tools/xenstored: Check number of strings passed to do_control()
On Fri, Oct 27, 2017 at 04:32:15PM +0000, Pawel Wieczorkiewicz wrote: > It is possible to send a zero-string message body to xenstore's > XS_CONTROL handling function. Then the number of strings is used > for an array allocation. This leads to a crash in strcmp() in a > CONTROL sub-command invocation loop. > The output of xs_count_string() should be verified and all 0 or > negative values should be rejected with an EINVAL. At least the > sub-command name must be specified. > > The xenstore crash can only be triggered from within dom0 (there > is a check in do_control() rejecting all non-dom0 requests with > an EACCES). > > Testing: reproduced with the following command: > python -c 'print 16*"\x00"' | nc -U $XENSTORED_RUNDIR/socket > > Signed-off-by: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx> > Reviewed-by: Martin Pohlack <mpohlack@xxxxxxxxx> Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |