render / rpms / libvirt

Forked from rpms/libvirt 11 months ago
Clone
Source Code
GIT

Blame 0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.10.0 libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   1b71b68bb9af8ac0ceb0c4cf8bb74a58eed30921
  2.   0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
Blob History Raw
408428 
From 46532e3e8ed5f5a736a02f67d6c805492f9ca720 Mon Sep 17 00:00:00 2001
408428 
From: Peter Krempa <pkrempa@redhat.com>
408428 
Date: Fri, 4 Jan 2013 16:15:04 +0100
408428 
Subject: [PATCH] rpc: Fix crash on error paths of message dispatching
408428
408428 
This patch resolves CVE-2013-0170:
408428 
https://bugzilla.redhat.com/show_bug.cgi?id=893450
408428
408428 
When reading and dispatching of a message failed the message was freed
408428 
but wasn't removed from the message queue.
408428
408428 
After that when the connection was about to be closed the pointer for
408428 
the message was still present in the queue and it was passed to
408428 
virNetMessageFree which tried to call the callback function from an
408428 
uninitialized pointer.
408428
408428 
This patch removes the message from the queue before it's freed.
408428
408428 
* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
408428 
    - avoid use after free of RPC messages
408428 
---
408428 
 src/rpc/virnetserverclient.c | 3 +++
408428 
 1 file changed, 3 insertions(+)
408428
408428 
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
408428 
index af0560e..446e1e9 100644
408428 
--- a/src/rpc/virnetserverclient.c
408428 
+++ b/src/rpc/virnetserverclient.c
408428 
@@ -987,6 +987,7 @@ readmore:
408428
408428 
         /* Decode the header so we can use it for routing decisions */
408428 
         if (virNetMessageDecodeHeader(msg) < 0) {
408428 
+            virNetMessageQueueServe(&client->rx);
408428 
             virNetMessageFree(msg);
408428 
             client->wantClose = true;
408428 
             return;
408428 
@@ -996,6 +997,7 @@ readmore:
408428 
          * file descriptors */
408428 
         if (msg->header.type == VIR_NET_CALL_WITH_FDS &&
408428 
             virNetMessageDecodeNumFDs(msg) < 0) {
408428 
+            virNetMessageQueueServe(&client->rx);
408428 
             virNetMessageFree(msg);
408428 
             client->wantClose = true;
408428 
             return; /* Error */
408428 
@@ -1005,6 +1007,7 @@ readmore:
408428 
         for (i = msg->donefds ; i < msg->nfds ; i++) {
408428 
             int rv;
408428 
             if ((rv = virNetSocketRecvFD(client->sock, &(msg->fds[i]))) < 0) {
408428 
+                virNetMessageQueueServe(&client->rx);
408428 
                 virNetMessageFree(msg);
408428 
                 client->wantClose = true;
408428 
                 return;
408428 
--
408428 
1.8.1
408428

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation