Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
xen
19242-xenstored-use-after-free-fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 19242-xenstored-use-after-free-fix.patch of Package xen
# HG changeset patch # User Keir Fraser <keir.fraser@citrix.com> # Date 1236003448 0 # Node ID 78f5c827a584f235c0dbfa0dc97a5f2f2afca21b # Parent b0ca8fd79d44e8b9c250309bd55e33af1f452704 xenstored: fix use-after free bug Problem: Handling requests for one connection can not only zap the connection itself, due to socket disconnects for example. It can also zap *other* connections, due to domain release requests. Especially it can zap the connection we have saved a pointer to in the "next" variable. From: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com> xen-unstable changeset: 19242:226031d62fc53d92df1aa7ba5565e887fa925318 xen-unstable date: Sun Mar 01 14:50:04 2009 +0000 Index: xen-3.3.1-testing/tools/xenstore/xenstored_core.c =================================================================== --- xen-3.3.1-testing.orig/tools/xenstore/xenstored_core.c +++ xen-3.3.1-testing/tools/xenstore/xenstored_core.c @@ -1937,14 +1937,17 @@ int main(int argc, char *argv[]) handle_event(); next = list_entry(connections.next, typeof(*conn), list); + if (&next->list != &connections) + talloc_increase_ref_count(next); while (&next->list != &connections) { conn = next; next = list_entry(conn->list.next, typeof(*conn), list); + if (&next->list != &connections) + talloc_increase_ref_count(next); if (conn->domain) { - talloc_increase_ref_count(conn); if (domain_can_read(conn)) handle_input(conn); if (talloc_free(conn) == 0) @@ -1957,7 +1960,6 @@ int main(int argc, char *argv[]) if (talloc_free(conn) == 0) continue; } else { - talloc_increase_ref_count(conn); if (FD_ISSET(conn->fd, &inset)) handle_input(conn); if (talloc_free(conn) == 0)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor