Overview

File libvirt-Fix-crash-in-remoteDispatchDomainMemoryStats.patch of Package libvirt

From 55617ddb5fabaf74083b1888b786b3e9583c89bd Mon Sep 17 00:00:00 2001
Message-Id: <55617ddb5fabaf74083b1888b786b3e9583c89bd.1379585483.git.jdenemar@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 9 Sep 2013 13:19:05 +0100
Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats

CVE-2013-4296

The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba8730e44b7dd07a21ab90499996c5dec080a
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)

Conflicts:
	daemon/remote.c
---
 daemon/remote.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index 68f7120..715dca8 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1163,7 +1163,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
                                 remote_domain_memory_stats_ret *ret)
 {
     virDomainPtr dom = NULL;
-    struct _virDomainMemoryStat *stats;
+    struct _virDomainMemoryStat *stats = NULL;
     int nr_stats, i;
     int rv = -1;
     struct daemonClientPrivate *priv =
-- 
1.8.3.2
openSUSE Build Service is sponsored by
Places