Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt
提交 45d6729f 编写于 作者: J Jiri Denemark 提交者: Eric Blake
浏览文件
操作

daemon: Fix crash in virTypedParameterArrayClear 

CVE-2012-3445, https://bugzilla.redhat.com/show_bug.cgi?id=844745

Daemon uses the following pattern when dispatching APIs with typed
parameters:

    VIR_ALLOC_N(params, nparams);
    virDomain*(dom, params, &nparams, flags);
    virTypedParameterArrayClear(params, nparams);

In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.

Let's make sure params stays NULL when nparams is 0.
(cherry picked from commit 6039a2cb)
上级 56f97e14
隐藏空白更改
内联 并排
Showing with 8 addition and 8 deletion
daemon/remote.c
浏览文件 @ 45d6729f
...@@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParameters(virNetServerPtr server ATTRIBUTE_UNUS ...@@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParameters(virNetServerPtr server ATTRIBUTE_UNUS
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory; goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom))) if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
...@@ -1019,7 +1019,7 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServerPtr server ATTRIBUTE ...@@ -1019,7 +1019,7 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServerPtr server ATTRIBUTE
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory; goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom))) if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
...@@ -1200,7 +1200,7 @@ remoteDispatchDomainBlockStatsFlags(virNetServerPtr server ATTRIBUTE_UNUSED, ...@@ -1200,7 +1200,7 @@ remoteDispatchDomainBlockStatsFlags(virNetServerPtr server ATTRIBUTE_UNUSED,
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
...@@ -1674,7 +1674,7 @@ remoteDispatchDomainGetMemoryParameters(virNetServerPtr server ATTRIBUTE_UNUSED, ...@@ -1674,7 +1674,7 @@ remoteDispatchDomainGetMemoryParameters(virNetServerPtr server ATTRIBUTE_UNUSED,
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
...@@ -1739,7 +1739,7 @@ remoteDispatchDomainGetNumaParameters(virNetServerPtr server ATTRIBUTE_UNUSED, ...@@ -1739,7 +1739,7 @@ remoteDispatchDomainGetNumaParameters(virNetServerPtr server ATTRIBUTE_UNUSED,
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
...@@ -1804,7 +1804,7 @@ remoteDispatchDomainGetBlkioParameters(virNetServerPtr server ATTRIBUTE_UNUSED, ...@@ -1804,7 +1804,7 @@ remoteDispatchDomainGetBlkioParameters(virNetServerPtr server ATTRIBUTE_UNUSED,
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
...@@ -2064,7 +2064,7 @@ remoteDispatchDomainGetBlockIoTune(virNetServerPtr server ATTRIBUTE_UNUSED, ...@@ -2064,7 +2064,7 @@ remoteDispatchDomainGetBlockIoTune(virNetServerPtr server ATTRIBUTE_UNUSED,
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
...@@ -3563,7 +3563,7 @@ remoteDispatchDomainGetInterfaceParameters(virNetServerPtr server ATTRIBUTE_UNUS ...@@ -3563,7 +3563,7 @@ remoteDispatchDomainGetInterfaceParameters(virNetServerPtr server ATTRIBUTE_UNUS
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup; goto cleanup;
} }
if (VIR_ALLOC_N(params, nparams) < 0) { if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册