On 01/28/2013 01:58 PM, Eric Blake wrote: > On 01/28/2013 11:35 AM, Peter Krempa wrote: >> When reading and dispatching of a message failed the message was freed >> but wasn't removed from the message queue. >> >> After that when the connection was about to be closed the pointer for >> the message was still present in the queue and it was passed to >> virNetMessageFree which tried to call the callback function from an >> uninitialized pointer. >> >> This patch removes the message from the queue before it's freed. > > Mention CVE-2013-0170 in the commit message, now that it is public: > https://bugzilla.redhat.com/show_bug.cgi?id=893450 > >> >> * rpc/virnetserverclient.c: virNetServerClientDispatchRead: >> - avoid use after free of RPC messages >> --- >> src/rpc/virnetserverclient.c | 3 +++ >> 1 file changed, 3 insertions(+) > > ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. > I'll handle the backports once the patch hits master. Thanks, Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list