[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching



On 01/28/13 19:58, Eric Blake wrote:
On 01/28/2013 11:35 AM, Peter Krempa wrote:
When reading and dispatching of a message failed the message was freed
but wasn't removed from the message queue.

After that when the connection was about to be closed the pointer for
the message was still present in the queue and it was passed to
virNetMessageFree which tried to call the callback function from an
uninitialized pointer.

This patch removes the message from the queue before it's freed.

Mention CVE-2013-0170 in the commit message, now that it is public:
https://bugzilla.redhat.com/show_bug.cgi?id=893450


* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
     - avoid use after free of RPC messages
---
  src/rpc/virnetserverclient.c | 3 +++
  1 file changed, 3 insertions(+)

ACK.  Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.

Thanks. I added the CVE notice and pushed to upstream and the v0.10.2 and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was introduced in 0.9.7

Peter


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]