xenstored: fix use-after free bug

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 90bfd05b91..b043ac45f8 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
 			handle_event();
 
 		next = list_entry(connections.next, typeof(*conn), list);
+		if (&next->list != &connections)
+			talloc_increase_ref_count(next);
 		while (&next->list != &connections) {
 			conn = next;
 
 			next = list_entry(conn->list.next,
 					  typeof(*conn), list);
+			if (&next->list != &connections)
+				talloc_increase_ref_count(next);
 
 			if (conn->domain) {
-				talloc_increase_ref_count(conn);
 				if (domain_can_read(conn))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
 				if (talloc_free(conn) == 0)
 					continue;
 			} else {
-				talloc_increase_ref_count(conn);
 				if (FD_ISSET(conn->fd, &inset))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)