Re: [PATCH] rpc: Fix crash on error paths of message dispatching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/28/2013 01:58 PM, Eric Blake wrote:
> On 01/28/2013 11:35 AM, Peter Krempa wrote:
>> When reading and dispatching of a message failed the message was freed
>> but wasn't removed from the message queue.
>>
>> After that when the connection was about to be closed the pointer for
>> the message was still present in the queue and it was passed to
>> virNetMessageFree which tried to call the callback function from an
>> uninitialized pointer.
>>
>> This patch removes the message from the queue before it's freed.
> 
> Mention CVE-2013-0170 in the commit message, now that it is public:
> https://bugzilla.redhat.com/show_bug.cgi?id=893450
> 
>>
>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
>>     - avoid use after free of RPC messages
>> ---
>>  src/rpc/virnetserverclient.c | 3 +++
>>  1 file changed, 3 insertions(+)
> 
> ACK.  Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.
> 

I'll handle the backports once the patch hits master.

Thanks,
Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]