# HG changeset patch
# User Ian Campbell <ian.campbell@citrix.com>
# Date 1347365847 -7200
# Node ID f53c5aadbba9d389f4a7d83f308499e22d1d1eda
# Parent  d189d99ef00c1e197321593d13282e1b57eb4a38
tmem: check for a valid client ("domain") in the save subops

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2379,12 +2379,18 @@ static NOINLINE int tmemc_save_subop(int
         rc = MAX_POOLS_PER_DOMAIN;
         break;
     case TMEMC_SAVE_GET_CLIENT_WEIGHT:
+        if ( client == NULL )
+            break;
         rc = client->weight == -1 ? -2 : client->weight;
         break;
     case TMEMC_SAVE_GET_CLIENT_CAP:
+        if ( client == NULL )
+            break;
         rc = client->cap == -1 ? -2 : client->cap;
         break;
     case TMEMC_SAVE_GET_CLIENT_FLAGS:
+        if ( client == NULL )
+            break;
         rc = (client->compress ? TMEM_CLIENT_COMPRESS : 0 ) |
              (client->was_frozen ? TMEM_CLIENT_FROZEN : 0 );
         break;
@@ -2408,6 +2414,8 @@ static NOINLINE int tmemc_save_subop(int
         *uuid = pool->uuid[1];
         rc = 0;
     case TMEMC_SAVE_END:
+        if ( client == NULL )
+            break;
         client->live_migrating = 0;
         if ( !list_empty(&client->persistent_invalidated_list) )
             list_for_each_entry_safe(pgp,pgp2,