Fix possible invalid read in adminClientGetInfo

virNetServerClientGetInfo returns the client's remote address as a string, which is a part of the client object. Use VIR_STRDUP to make a copy which can be freely accessed even after the virNetServerClient object is unlocked. To reproduce, put a sleep between virObjectUnlock in virNetServerClientGetInfo and virTypedParamsAddString in adminClientGetInfo, then close the queried connection during that sleep.

Fix possible invalid read in adminClientGetInfo
virNetServerClientGetInfo returns the client's remote address as a string, which is a part of the client object. Use VIR_STRDUP to make a copy which can be freely accessed even after the virNetServerClient object is unlocked. To reproduce, put a sleep between virObjectUnlock in virNetServerClientGetInfo and virTypedParamsAddString in adminClientGetInfo, then close the queried connection during that sleep.
a3f565b3 · Ján Tomko · ca5d51df · a3f565b3 · a3f565b3 · a3f565b3
隐藏空白更改
内联并排

Showing with 9 addition and 4 deletion

daemon/admin_server.c daemon/admin_server.c +2 -1

src/rpc/virnetserverclient.c src/rpc/virnetserverclient.c +6 -2

src/rpc/virnetserverclient.h src/rpc/virnetserverclient.h +1 -1

未找到文件。
--- a/daemon/admin_server.c
+++ b/daemon/admin_server.c
@@ -221,7 +221,7 @@ adminClientGetInfo(virNetServerClientPtr client,
    int ret = -1;
    int maxparams = 0;
    bool readonly;
-    const char *sock_addr = NULL;
+    char *sock_addr = NULL;
    const char *attr = NULL;
    virTypedParameterPtr tmpparams = NULL;
    virIdentityPtr identity = NULL;
@@ -300,6 +300,7 @@ adminClientGetInfo(virNetServerClientPtr client,

 cleanup:
    virObjectUnref(identity);
+    VIR_FREE(sock_addr);
    return ret;
 }


--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -1606,20 +1606,24 @@ virNetServerClientGetTransport(virNetServerClientPtr client)

 int
 virNetServerClientGetInfo(virNetServerClientPtr client,
-                          bool *readonly, const char **sock_addr,
+                          bool *readonly, char **sock_addr,
                          virIdentityPtr *identity)
 {
    int ret = -1;
+    const char *addr;

    virObjectLock(client);
    *readonly = client->readonly;

-    if (!(*sock_addr = virNetServerClientRemoteAddrStringURI(client))) {
+    if (!(addr = virNetServerClientRemoteAddrStringURI(client))) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("No network socket associated with client"));
        goto cleanup;
    }

+    if (VIR_STRDUP(*sock_addr, addr) < 0)
+        goto cleanup;
+
    if (!client->identity) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("No identity information available for client"));

--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -149,7 +149,7 @@ bool virNetServerClientNeedAuth(virNetServerClientPtr client);

 int virNetServerClientGetTransport(virNetServerClientPtr client);
 int virNetServerClientGetInfo(virNetServerClientPtr client,
-                              bool *readonly, const char **sock_addr,
+                              bool *readonly, char **sock_addr,
                              virIdentityPtr *identity);

 #endif /* __VIR_NET_SERVER_CLIENT_H__ */