tmem: check the pool_id is valid when destroying a tmem pool

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 5f27ff019fbb71d93851ac94f7995125cd92c815..835c257e5f67e0e38fe6563a34e8876aed8a91dc 100644 (file)
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id)
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;