File CVE-2017-8309-qemut-audio-host-memory-leakage-v... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-8309-qemut-audio-host-memory-leakage-via-capture-buffer.patch of Package xen (Revision e246af6cb91b84df7145ba8c9bbf367c)

Currently displaying revision e246af6cb91b84df7145ba8c9bbf367c , Show latest

References: bsc#1037243 CVE-2017-8309

Subject: audio: release capture buffers
From: Gerd Hoffmann kraxel@redhat.com Fri Apr 28 09:56:12 2017 +0200
Date: Thu May 4 08:31:48 2017 +0200:
Git: 3268a845f41253fb55852a8429c32b50f36f349a

AUD_add_capture() allocates two buffers which are never released.
Add the missing calls to AUD_del_capture().

Impact: Allows vnc clients to exhaust host memory by repeatedly
starting and stopping audio capture.

Fixes: CVE-2017-8309
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170428075612.9997-1-kraxel@redhat.com

Index: xen-4.9.0-testing/tools/qemu-xen-traditional-dir-remote/audio/audio.c
===================================================================
--- xen-4.9.0-testing.orig/tools/qemu-xen-traditional-dir-remote/audio/audio.c
+++ xen-4.9.0-testing/tools/qemu-xen-traditional-dir-remote/audio/audio.c
@@ -1937,6 +1937,8 @@ void AUD_del_capture (CaptureVoiceOut *c
                     sw = sw1;
                 }
                 LIST_REMOVE (cap, entries);
+                qemu_free (cap->hw.mix_buf);
+                qemu_free (cap->buf);
                 qemu_free (cap);
             }
             return;

Places

File CVE-2017-8309-qemut-audio-host-memory-leakage-via-capture-buffer.patch of Package xen (Revision e246af6cb91b84df7145ba8c9bbf367c)

Places