diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2009-03-01 14:50:04 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2009-03-01 14:50:04 +0000 |
commit | 1622101b19ef43860f846353ceef1b0bbf0ebab2 (patch) | |
tree | 7050b8a55b739d90eadcb5f198ef689dcd752c31 /tools/xenstore/xenstored_core.c | |
parent | a81c6629250cb09057c9d352dd55b561da4332e3 (diff) | |
download | xen-1622101b19ef43860f846353ceef1b0bbf0ebab2.tar.gz xen-1622101b19ef43860f846353ceef1b0bbf0ebab2.tar.bz2 xen-1622101b19ef43860f846353ceef1b0bbf0ebab2.zip |
xenstored: fix use-after free bug
Problem: Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example. It can also
zap *other* connections, due to domain release requests. Especially
it can zap the connection we have saved a pointer to in the "next"
variable.
From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
Diffstat (limited to 'tools/xenstore/xenstored_core.c')
-rw-r--r-- | tools/xenstore/xenstored_core.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c index 90bfd05b91..b043ac45f8 100644 --- a/tools/xenstore/xenstored_core.c +++ b/tools/xenstore/xenstored_core.c @@ -1937,14 +1937,17 @@ int main(int argc, char *argv[]) handle_event(); next = list_entry(connections.next, typeof(*conn), list); + if (&next->list != &connections) + talloc_increase_ref_count(next); while (&next->list != &connections) { conn = next; next = list_entry(conn->list.next, typeof(*conn), list); + if (&next->list != &connections) + talloc_increase_ref_count(next); if (conn->domain) { - talloc_increase_ref_count(conn); if (domain_can_read(conn)) handle_input(conn); if (talloc_free(conn) == 0) @@ -1957,7 +1960,6 @@ int main(int argc, char *argv[]) if (talloc_free(conn) == 0) continue; } else { - talloc_increase_ref_count(conn); if (FD_ISSET(conn->fd, &inset)) handle_input(conn); if (talloc_free(conn) == 0) |