[v0.9.12-maint v3 06/12] rpc: Fix crash on error paths of message dispatching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Peter Krempa <pkrempa@xxxxxxxxxx>

This patch resolves CVE-2013-0170:
https://bugzilla.redhat.com/show_bug.cgi?id=893450

When reading and dispatching of a message failed the message was freed
but wasn't removed from the message queue.

After that when the connection was about to be closed the pointer for
the message was still present in the queue and it was passed to
virNetMessageFree which tried to call the callback function from an
uninitialized pointer.

This patch removes the message from the queue before it's freed.

* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
    - avoid use after free of RPC messages

(cherry picked from commit 46532e3e8ed5f5a736a02f67d6c805492f9ca720)
---
 src/rpc/virnetserverclient.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
index 67600fd..3838136 100644
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -840,6 +840,7 @@ readmore:
 
         /* Decode the header so we can use it for routing decisions */
         if (virNetMessageDecodeHeader(msg) < 0) {
+            virNetMessageQueueServe(&client->rx);
             virNetMessageFree(msg);
             client->wantClose = true;
             return;
@@ -849,6 +850,7 @@ readmore:
          * file descriptors */
         if (msg->header.type == VIR_NET_CALL_WITH_FDS &&
             virNetMessageDecodeNumFDs(msg) < 0) {
+            virNetMessageQueueServe(&client->rx);
             virNetMessageFree(msg);
             client->wantClose = true;
             return; /* Error */
@@ -858,6 +860,7 @@ readmore:
         for (i = msg->donefds ; i < msg->nfds ; i++) {
             int rv;
             if ((rv = virNetSocketRecvFD(client->sock, &(msg->fds[i]))) < 0) {
+                virNetMessageQueueServe(&client->rx);
                 virNetMessageFree(msg);
                 client->wantClose = true;
                 return;
-- 
1.8.4.rc3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]