|
 |
adeaf8 |
From 3bee40f9bd3b3c11d782b79eb90f46087d3ab9be Mon Sep 17 00:00:00 2001
|
|
|
adeaf8 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
adeaf8 |
Date: Tue, 3 Sep 2013 16:52:06 +0100
|
|
|
adeaf8 |
Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
|
|
|
adeaf8 |
|
|
|
adeaf8 |
The 'stats' variable was not initialized to NULL, so if some
|
|
|
adeaf8 |
early validation of the RPC call fails, it is possible to jump
|
|
|
adeaf8 |
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
|
|
|
adeaf8 |
This is a security flaw, since the API can be called from a
|
|
|
adeaf8 |
readonly connection which can trigger the validation checks.
|
|
|
adeaf8 |
|
|
|
adeaf8 |
This was introduced in release v0.9.1 onwards by
|
|
|
adeaf8 |
|
|
|
adeaf8 |
commit 158ba8730e44b7dd07a21ab90499996c5dec080a
|
|
|
adeaf8 |
Author: Daniel P. Berrange <berrange@redhat.com>
|
|
|
adeaf8 |
Date: Wed Apr 13 16:21:35 2011 +0100
|
|
|
adeaf8 |
|
|
|
adeaf8 |
Merge all returns paths from dispatcher into single path
|
|
|
adeaf8 |
|
|
|
adeaf8 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
adeaf8 |
(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)
|
|
|
adeaf8 |
---
|
|
|
adeaf8 |
daemon/remote.c | 2 +-
|
|
|
adeaf8 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
adeaf8 |
|
|
|
adeaf8 |
diff --git a/daemon/remote.c b/daemon/remote.c
|
|
|
adeaf8 |
index b5395dd..afd9fb5 100644
|
|
|
adeaf8 |
--- a/daemon/remote.c
|
|
|
adeaf8 |
+++ b/daemon/remote.c
|
|
|
adeaf8 |
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|
|
adeaf8 |
remote_domain_memory_stats_ret *ret)
|
|
|
adeaf8 |
{
|
|
|
adeaf8 |
virDomainPtr dom = NULL;
|
|
|
adeaf8 |
- struct _virDomainMemoryStat *stats;
|
|
|
adeaf8 |
+ struct _virDomainMemoryStat *stats = NULL;
|
|
|
adeaf8 |
int nr_stats;
|
|
|
adeaf8 |
size_t i;
|
|
|
adeaf8 |
int rv = -1;
|