Fix double-free on error condition in GnttabPermitForeignAccess()

XENIFACE_GNTTAB_CONTEXT associated with the request was incorrectly freed
by GnttabPermitForeignAccess() when a failure occured. The context is also
freed by the parent function, IoctlGnttabPermitForeignAccess(), which led
to a double-free and kernel heap corruption.

GnttabStopSharing() as the final step in the failure path takes care
of cleaning up the contents of the (possibly partially initialized) context.

Signed-off-by: Rafał Wojdyła <omeg@invisiblethingslab.com>
Reviewed-by: Owen Smith <owen.smith@cloud.com>

diff --git a/src/xeniface/ioctl_gnttab.c b/src/xeniface/ioctl_gnttab.c
index 8ab209938c7b49146b51f32aa5c97afa06a6a369..026f29bec76b29718181eb7b514bd6fb12c85468 100644 (file)
--- a/src/xeniface/ioctl_gnttab.c
+++ b/src/xeniface/ioctl_gnttab.c
@@ -304,12 +304,6 @@ fail2:
 fail1:
     Error("Fail1\n");
     GnttabStopSharing(Fdo, Context, Page);
-
-    if (Context != NULL) {
-        RtlZeroMemory(Context, sizeof(*Context));
-        __FreePoolWithTag(Context, XENIFACE_POOL_TAG);
-    }
-
     return Status;
 }