Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
xen
xsa324.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa324.patch of Package xen
From: Juergen Gross <jgross@suse.com> Subject: tools/xenstore: drop watch event messages exceeding maximum size By setting a watch with a very large tag it is possible to trick xenstored to send watch event messages exceeding the maximum allowed payload size. This might in turn lead to a crash of xenstored as the resulting error can cause dereferencing a NULL pointer in case there is no active request being handled by the guest the watch event is being sent to. Fix that by just dropping such watch events. Additionally modify the error handling to test the pointer to be not NULL before dereferencing it. This is XSA-324. Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Julien Grall <jgrall@amazon.com> --- xen-4.13.2-testing.orig/tools/xenstore/xenstored_core.c +++ xen-4.13.2-testing/tools/xenstore/xenstored_core.c @@ -680,6 +680,9 @@ void send_reply(struct connection *conn, /* Replies reuse the request buffer, events need a new one. */ if (type != XS_WATCH_EVENT) { bdata = conn->in; + /* Drop asynchronous responses, e.g. errors for watch events. */ + if (!bdata) + return; bdata->inhdr = true; bdata->used = 0; conn->in = NULL; --- xen-4.13.2-testing.orig/tools/xenstore/xenstored_watch.c +++ xen-4.13.2-testing/tools/xenstore/xenstored_watch.c @@ -92,6 +92,10 @@ static void add_event(struct connection } len = strlen(name) + 1 + strlen(watch->token) + 1; + /* Don't try to send over-long events. */ + if (len > XENSTORE_PAYLOAD_MAX) + return; + data = talloc_array(ctx, char, len); if (!data) return;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor