diff options
author | Konrad Rzeszutek Wilk <konrad@kernel.org> | 2013-09-10 11:08:30 -0400 |
---|---|---|
committer | Ian Campbell <ian.campbell@citrix.com> | 2013-09-13 13:12:29 +0100 |
commit | 1438d36f96e90d1116bebc6b3013634ca21c49c8 (patch) | |
tree | 1ec1163841298b8bfc8bbe8a87c757ab63fc8d6b /tools | |
parent | ae763e4224304983a1cde2fbb3d6e0c4d60b2688 (diff) | |
download | xen-1438d36f96e90d1116bebc6b3013634ca21c49c8.tar.gz xen-1438d36f96e90d1116bebc6b3013634ca21c49c8.tar.bz2 xen-1438d36f96e90d1116bebc6b3013634ca21c49c8.zip |
xenstat: Fix buffer over-run with new_domains being negative.
Coverity identified this as:
CID 1055740 Out-of-bounds read - "In xenstat_get_node:
Out-of-bounds read from a buffer (CWE-125)"
And sure enough, if xc_domain_getinfolist returns us -1, we will
try to use it later on in the for (i = 0; i < new_domains; ..)
loop.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/xenstat/libxenstat/src/xenstat.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/tools/xenstat/libxenstat/src/xenstat.c b/tools/xenstat/libxenstat/src/xenstat.c index 104655d5f1..e5facb84f5 100644 --- a/tools/xenstat/libxenstat/src/xenstat.c +++ b/tools/xenstat/libxenstat/src/xenstat.c @@ -208,15 +208,15 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, unsigned int flags) node->num_domains, DOMAIN_CHUNK_SIZE, domaininfo); + if (new_domains < 0) + goto err; tmp = realloc(node->domains, (node->num_domains + new_domains) * sizeof(xenstat_domain)); - if (tmp == NULL) { - free(node->domains); - free(node); - return NULL; - } + if (tmp == NULL) + goto err; + node->domains = tmp; domain = node->domains + node->num_domains; @@ -280,6 +280,10 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, unsigned int flags) } return node; +err: + free(node->domains); + free(node); + return NULL; } void xenstat_free_node(xenstat_node * node) |