ia64/xen-unstable

changeset 19243:226031d62fc5

xenstored: fix use-after free bug

Problem: Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example. It can also
zap *other* connections, due to domain release requests. Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Sun Mar 01 14:50:04 2009 +0000 (2009-03-01)
parents edd7f612ebe0
children e5c696aaf2a6
files tools/xenstore/xenstored_core.c
line diff
     1.1 --- a/tools/xenstore/xenstored_core.c	Sun Mar 01 14:35:57 2009 +0000
     1.2 +++ b/tools/xenstore/xenstored_core.c	Sun Mar 01 14:50:04 2009 +0000
     1.3 @@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
     1.4  			handle_event();
     1.5  
     1.6  		next = list_entry(connections.next, typeof(*conn), list);
     1.7 +		if (&next->list != &connections)
     1.8 +			talloc_increase_ref_count(next);
     1.9  		while (&next->list != &connections) {
    1.10  			conn = next;
    1.11  
    1.12  			next = list_entry(conn->list.next,
    1.13  					  typeof(*conn), list);
    1.14 +			if (&next->list != &connections)
    1.15 +				talloc_increase_ref_count(next);
    1.16  
    1.17  			if (conn->domain) {
    1.18 -				talloc_increase_ref_count(conn);
    1.19  				if (domain_can_read(conn))
    1.20  					handle_input(conn);
    1.21  				if (talloc_free(conn) == 0)
    1.22 @@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
    1.23  				if (talloc_free(conn) == 0)
    1.24  					continue;
    1.25  			} else {
    1.26 -				talloc_increase_ref_count(conn);
    1.27  				if (FD_ISSET(conn->fd, &inset))
    1.28  					handle_input(conn);
    1.29  				if (talloc_free(conn) == 0)