[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-4.10] tools/xenstored: Check number of strings passed to do_control()
Hi, Apologies for the late answer, I missed the e-mail in my inbox. On 10/27/2017 05:37 PM, Ian Jackson wrote: Pawel Wieczorkiewicz writes ("[PATCH] tools/xenstored: Check number of strings passed to do_control()"):It is possible to send a zero-string message body to xenstore's XS_CONTROL handling function. Then the number of strings is used for an array allocation. This leads to a crash in strcmp() in a CONTROL sub-command invocation loop. The output of xs_count_string() should be verified and all 0 or negative values should be rejected with an EINVAL. At least the sub-command name must be specified. The xenstore crash can only be triggered from within dom0 (there is a check in do_control() rejecting all non-dom0 requests with an EACCES).Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> (Added the for-4.10 tag to the Subject.) Release-acked-by: Julien Grall <julien.grall@xxxxxxxxxx> Cheers, -- Julien Grall _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |