Overview

File 25852-tmem-xsa-15-3.patch of Package xen.openSUSE_12.1_Update

References: bnc#777890

# HG changeset patch
# User Ian Campbell <ian.campbell@citrix.com>
# Date 1347365214 -7200
# Node ID d189d99ef00c1e197321593d13282e1b57eb4a38
# Parent  fcf567acc92ae57f4adfbe967b01a2ba0390c08f
tmem: check the pool_id is valid when destroying a tmem pool

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1873,6 +1873,8 @@ static NOINLINE int do_tmem_destroy_pool
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;
openSUSE Build Service is sponsored by
Places