tools/xenstore: fix get_spec_node()

In case get_spec_node() is being called for a special node starting
with '@' it won't set *canonical_name. This can result in a crash of
xenstored due to dereferencing the uninitialized name in
fire_watches().

This is no security issue as it requires either a privileged caller or
ownership of the special node in question by an unprivileged caller
(which is questionable, as this would make the owner privileged in some
way).

Fixes: d6bb63924fc2 ("tools/xenstore: introduce dummy nodes for special watch paths")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 6d27b2dd7faac4cf7b938e9939305b925225bcae..9f1328a31feac7d64459b7d98f731f864d5773f1 100644 (file)
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1253,8 +1253,11 @@ static struct node *get_spec_node(struct connection *conn, const void *ctx,
                                  const char *name, const char **canonical_name,
                                  unsigned int perm)
 {
-       if (name[0] == '@')
+       if (name[0] == '@') {
+               if (canonical_name)
+                       *canonical_name = name;
                return get_node(conn, ctx, name, perm);
+       }
 
        return get_node_canonicalized(conn, ctx, name, canonical_name, perm);
 }