[libvirt] PATCH: Fix double-free in daemon after client connection drop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If a client drops a connection unexpectedly there is a possiblity of a 
double free in the daemon if using SASL or TLS. This is because there
is possibility for poll() on the socket, returns POLLIN and POLLHUP/ERR
at the same time. Both the POLLIN and POLLHUP handling code will attempt
to use qemudDispatchClientFailure to mark the client as dieing, doing a
double free. It is hard to avoid this potential double-invocation of
the cleanup function, so it is preferrable to make it safe

Daniel

diff -rup libvirt-0.6.2.orig/qemud/qemud.c libvirt-0.6.2.new/qemud/qemud.c
--- libvirt-0.6.2.orig/qemud/qemud.c	2009-03-13 17:06:16.000000000 +0000
+++ libvirt-0.6.2.new/qemud/qemud.c	2009-05-28 17:58:44.000000000 +0100
@@ -1397,7 +1397,10 @@ static int qemudDispatchServer(struct qe
  * jobs have finished, then clean it up elsehwere
  */
 void qemudDispatchClientFailure(struct qemud_client *client) {
-    virEventRemoveHandleImpl(client->watch);
+    if (client->watch != -1) {
+        virEventRemoveHandleImpl(client->watch);
+        client->watch = -1;
+    }
 
     /* Deregister event delivery callback */
     if(client->conn) {
@@ -1406,12 +1409,21 @@ void qemudDispatchClientFailure(struct q
     }
 
 #if HAVE_SASL
-    if (client->saslconn) sasl_dispose(&client->saslconn);
+    if (client->saslconn) {
+        sasl_dispose(&client->saslconn);
+        client->saslconn = NULL;
+    }
     free(client->saslUsername);
+    client->saslUsername = NULL;
 #endif
-    if (client->tlssession) gnutls_deinit (client->tlssession);
-    close(client->fd);
-    client->fd = -1;
+    if (client->tlssession) {
+        gnutls_deinit (client->tlssession);
+        client->tlssession = NULL;
+    }
+    if (client->fd != -1) {
+        close(client->fd);
+        client->fd = -1;
+    }
 }
 
 



-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]