diff options
| author | Ian Campbell <ian.campbell@citrix.com> | 2012-09-11 14:06:54 +0200 |
|---|---|---|
| committer | Ian Campbell <ian.campbell@citrix.com> | 2012-09-11 14:06:54 +0200 |
| commit | e75ecdea85ff23d916420ec299753e31c5610f47 (patch) | |
| tree | 8458b433b9ce2a0c914a4ee993cb61b396a36717 /xen/common/tmem.c | |
| parent | f14fc87af896228782ab5eaf174ce7eb27c0c4ca (diff) | |
| download | xen-e75ecdea85ff23d916420ec299753e31c5610f47.tar.gz xen-e75ecdea85ff23d916420ec299753e31c5610f47.tar.bz2 xen-e75ecdea85ff23d916420ec299753e31c5610f47.zip | |
tmem: check the pool_id is valid when destroying a tmem pool
This is part of XSA-15 / CVE-2012-3497.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
Diffstat (limited to 'xen/common/tmem.c')
| -rw-r--r-- | xen/common/tmem.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/xen/common/tmem.c b/xen/common/tmem.c index 5f27ff019f..835c257e5f 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id) if ( client->pools == NULL ) return 0; + if ( pool_id >= MAX_POOLS_PER_DOMAIN ) + return 0; if ( (pool = client->pools[pool_id]) == NULL ) return 0; client->pools[pool_id] = NULL; |