pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d4377f43e9
libvirt/6039a2cb-CVE-2012-3445.patch
James Fehlig 687c47cc53 - Update to libvirt 0.9.13 
- S390: support for s390(x)
  - snapshot: implement new APIs for esx and vbox
  - snapshot: new query APIs and many improvements
  - virsh: Allow users to reedit rejected XML
  - nwfilter: add DHCP snooping
  - storage backend: Add RBD (RADOS Block Device) support
  - sVirt support for LXC domains inprovement

_ Update to libvirt 0.9.12
  - qemu: allow snapshotting of sheepdog and rbd disks
  - blockjob: add new AP
  - many bug fixes and improvements

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=221
2012-08-08 17:47:16 +00:00

100 lines
3.7 KiB
Diff
Raw Blame History

commit 6039a2cb49c8af4c68460d2faf365a7e1c686c7b
Author: Jiri Denemark <jdenemar@redhat.com>
Date: Mon Jul 30 12:14:54 2012 +0200
daemon: Fix crash in virTypedParameterArrayClear
Daemon uses the following pattern when dispatching APIs with typed
parameters:
VIR_ALLOC_N(params, nparams);
virDomain*(dom, params, &nparams, flags);
virTypedParameterArrayClear(params, nparams);
In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.
Let's make sure params stays NULL when nparams is 0.
Index: libvirt-0.9.13/daemon/remote.c
===================================================================
--- libvirt-0.9.13.orig/daemon/remote.c
+++ libvirt-0.9.13/daemon/remote.c
@@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0)
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
@@ -1073,7 +1073,7 @@ remoteDispatchDomainGetSchedulerParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0)
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
@@ -1254,7 +1254,7 @@ remoteDispatchDomainBlockStatsFlags(virN
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1728,7 +1728,7 @@ remoteDispatchDomainGetMemoryParameters(
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1793,7 +1793,7 @@ remoteDispatchDomainGetNumaParameters(vi
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1858,7 +1858,7 @@ remoteDispatchDomainGetBlkioParameters(v
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -2118,7 +2118,7 @@ remoteDispatchDomainGetBlockIoTune(virNe
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -3621,7 +3621,7 @@ remoteDispatchDomainGetInterfaceParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
Reference in New Issue View Git Blame Copy Permalink