Fix possible invalid read in adminClientGetInfo

virNetServerClientGetInfo returns the client's remote address
as a string, which is a part of the client object.

Use VIR_STRDUP to make a copy which can be freely accessed
even after the virNetServerClient object is unlocked.

To reproduce, put a sleep between virObjectUnlock in
virNetServerClientGetInfo and virTypedParamsAddString in
adminClientGetInfo, then close the queried connection during
that sleep.

diff --git a/daemon/admin_server.c b/daemon/admin_server.c
index cb9079c1f32ed0d90e0bddf37408773cdb69ba57..9f24f680bec608a7a4f1ffddaabecafc4b629040 100644 (file)
--- a/daemon/admin_server.c
+++ b/daemon/admin_server.c
@@ -221,7 +221,7 @@ adminClientGetInfo(virNetServerClientPtr client,
     int ret = -1;
     int maxparams = 0;
     bool readonly;
-    const char *sock_addr = NULL;
+    char *sock_addr = NULL;
     const char *attr = NULL;
     virTypedParameterPtr tmpparams = NULL;
     virIdentityPtr identity = NULL;
@@ -300,6 +300,7 @@ adminClientGetInfo(virNetServerClientPtr client,
 
  cleanup:
     virObjectUnref(identity);
+    VIR_FREE(sock_addr);
     return ret;
 }
 

diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
index 39fe86073e25c63a0419b3972f14022ec17d912a..81da82cab320eff1582ce0a1f0c76ce44f564235 100644 (file)
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -1606,20 +1606,24 @@ virNetServerClientGetTransport(virNetServerClientPtr client)
 
 int
 virNetServerClientGetInfo(virNetServerClientPtr client,
-                          bool *readonly, const char **sock_addr,
+                          bool *readonly, char **sock_addr,
                           virIdentityPtr *identity)
 {
     int ret = -1;
+    const char *addr;
 
     virObjectLock(client);
     *readonly = client->readonly;
 
-    if (!(*sock_addr = virNetServerClientRemoteAddrStringURI(client))) {
+    if (!(addr = virNetServerClientRemoteAddrStringURI(client))) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                        _("No network socket associated with client"));
         goto cleanup;
     }
 
+    if (VIR_STRDUP(*sock_addr, addr) < 0)
+        goto cleanup;
+
     if (!client->identity) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                        _("No identity information available for client"));

diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h
index c243a688250ffbd843d62fb98d19ed2db58c0ef5..a53cc00b206e33e6dc2f97b4752b6f57ec5111fe 100644 (file)
--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -149,7 +149,7 @@ bool virNetServerClientNeedAuth(virNetServerClientPtr client);
 
 int virNetServerClientGetTransport(virNetServerClientPtr client);
 int virNetServerClientGetInfo(virNetServerClientPtr client,
-                              bool *readonly, const char **sock_addr,
+                              bool *readonly, char **sock_addr,
                               virIdentityPtr *identity);
 
 #endif /* __VIR_NET_SERVER_CLIENT_H__ */