From addf5e1b3160cbc91cf0f56cd97d1a38a6fb91e8 Mon Sep 17 00:00:00 2001 From: Martin Kletzander Date: Wed, 12 Sep 2012 23:43:26 +0200 Subject: [PATCH] security: Fix libvirtd crash possibility Fix for CVE-2012-4423. When generating RPC protocol messages, it's strictly needed to have a continuous line of numbers or RPC messages. However in case anyone tries backporting some functionality and will skip a number, there is a possibility to make the daemon segfault with newer virsh (version of the library, rpc call, etc.) even unintentionally. The problem is that the skipped numbers will get func filled with NULLs, but there is no check whether these are set before the daemon tries to run them. This patch very simply enhances one check and fixes that. (cherry picked from commit b7ff9e696063189a715802d081d55a398663c15a) --- src/rpc/virnetserverprogram.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/rpc/virnetserverprogram.c b/src/rpc/virnetserverprogram.c index 7f589c8e86..5439878f8f 100644 --- a/src/rpc/virnetserverprogram.c +++ b/src/rpc/virnetserverprogram.c @@ -1,7 +1,7 @@ /* * virnetserverprogram.c: generic network RPC server program * - * Copyright (C) 2006-2011 Red Hat, Inc. + * Copyright (C) 2006-2012 Red Hat, Inc. * Copyright (C) 2006 Daniel P. Berrange * * This library is free software; you can redistribute it and/or @@ -101,12 +101,19 @@ int virNetServerProgramMatches(virNetServerProgramPtr prog, static virNetServerProgramProcPtr virNetServerProgramGetProc(virNetServerProgramPtr prog, int procedure) { + virNetServerProgramProcPtr proc; + if (procedure < 0) return NULL; if (procedure >= prog->nprocs) return NULL; - return &prog->procs[procedure]; + proc = &prog->procs[procedure]; + + if (!proc->func) + return NULL; + + return proc; } unsigned int -- GitLab