diff options
author | Matthew Daley <mattjd@gmail.com> | 2013-09-11 02:34:19 +1200 |
---|---|---|
committer | Ian Campbell <ian.campbell@citrix.com> | 2013-09-13 13:14:51 +0100 |
commit | 72b9c3e88c1cd205b39b178ce5e684868a1117c2 (patch) | |
tree | 712dd77f98de76d1db00d16d7d874cd1d8e1d480 | |
parent | ad6aa096e49a4ea78ca7816f6385c4d23c498fcd (diff) | |
download | xen-72b9c3e88c1cd205b39b178ce5e684868a1117c2.tar.gz xen-72b9c3e88c1cd205b39b178ce5e684868a1117c2.tar.bz2 xen-72b9c3e88c1cd205b39b178ce5e684868a1117c2.zip |
mini-os: fix use-after-free in xs_daemon_close event iteration
We need to get the next pointer before the freeing of the event.
Coverity-ID: 1056173
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-By: Samuel Thibault <samuel.thibault@ens-lyon.org>
-rw-r--r-- | extras/mini-os/lib/xs.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/extras/mini-os/lib/xs.c b/extras/mini-os/lib/xs.c index a2a122098c..c603d178bf 100644 --- a/extras/mini-os/lib/xs.c +++ b/extras/mini-os/lib/xs.c @@ -29,9 +29,12 @@ struct xs_handle *xs_daemon_open() void xs_daemon_close(struct xs_handle *h) { int fd = _xs_fileno(h); - struct xenbus_event *event; - for (event = files[fd].xenbus.events; event; event = event->next) + struct xenbus_event *event, *next; + for (event = files[fd].xenbus.events; event; event = next) + { + next = event->next; free(event); + } files[fd].type = FTYPE_NONE; } |