From: Julien Grall <jgrall@amazon.com>
Date: Fri, 26 Feb 2021 18:26:55 +0000 (+0000)
Subject: tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=29fae90baa14f518407fe7c437d38af768a3134c;p=people%2Fsstabellini%2Fxen-unstable.git%2F.git

tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

In case of failure in do_lu_start(), XenStored will first free lu_start
and then try to dereference it.

This will result to a NULL dereference as the destruction callback will
set lu_start to NULL.

The crash can be avoided by freeing lu_start *after* the reply has been
set.

Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Release-Acked-by: Ian Jackson <iwj@xenproject.org>
---

diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 653890f2d9..766b243839 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -657,9 +657,8 @@ static bool do_lu_start(struct delayed_request *req)
 
 	/* We will reach this point only in case of failure. */
  out:
-	talloc_free(lu_status);
-
 	send_reply(lu_status->conn, XS_CONTROL, ret, strlen(ret) + 1);
+	talloc_free(lu_status);
 
 	return true;
 }