On 01/28/2013 11:35 AM, Peter Krempa wrote: > When reading and dispatching of a message failed the message was freed > but wasn't removed from the message queue. > > After that when the connection was about to be closed the pointer for > the message was still present in the queue and it was passed to > virNetMessageFree which tried to call the callback function from an > uninitialized pointer. > > This patch removes the message from the queue before it's freed. Mention CVE-2013-0170 in the commit message, now that it is public: https://bugzilla.redhat.com/show_bug.cgi?id=893450 > > * rpc/virnetserverclient.c: virNetServerClientDispatchRead: > - avoid use after free of RPC messages > --- > src/rpc/virnetserverclient.c | 3 +++ > 1 file changed, 3 insertions(+) ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list