File 19242-xenstored-use-after-free-fix.patch of Package xen

# HG changeset patch
# User Keir Fraser <keir.fraser@citrix.com>
# Date 1236003448 0
# Node ID 78f5c827a584f235c0dbfa0dc97a5f2f2afca21b
# Parent  b0ca8fd79d44e8b9c250309bd55e33af1f452704
xenstored: fix use-after free bug

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
xen-unstable changeset:   19242:226031d62fc53d92df1aa7ba5565e887fa925318
xen-unstable date:        Sun Mar 01 14:50:04 2009 +0000

Index: xen-3.3.1-testing/tools/xenstore/xenstored_core.c
===================================================================
--- xen-3.3.1-testing.orig/tools/xenstore/xenstored_core.c
+++ xen-3.3.1-testing/tools/xenstore/xenstored_core.c
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
 			handle_event();
 
 		next = list_entry(connections.next, typeof(*conn), list);
+		if (&next->list != &connections)
+			talloc_increase_ref_count(next);
 		while (&next->list != &connections) {
 			conn = next;
 
 			next = list_entry(conn->list.next,
 					  typeof(*conn), list);
+			if (&next->list != &connections)
+				talloc_increase_ref_count(next);
 
 			if (conn->domain) {
-				talloc_increase_ref_count(conn);
 				if (domain_can_read(conn))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
 				if (talloc_free(conn) == 0)
 					continue;
 			} else {
-				talloc_increase_ref_count(conn);
 				if (FD_ISSET(conn->fd, &inset))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)