Fix crash in libvirtd when events are registered & ACLs activeCVE-2013-4399

When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API

  virConnectDomainEventDeregisterAny

This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.

This can be triggered by any client with readonly access when
the ACL drivers are active.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/daemon/remote.c b/daemon/remote.c
index 9497cc131e..f3de6a0ada 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)
 
     /* Deregister event delivery callback */
     if (priv->conn) {
+        virIdentityPtr sysident = virIdentityGetSystem();
         size_t i;
 
+        virIdentitySetCurrent(sysident);
+
         for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {
             if (priv->domainEventCallbackID[i] != -1) {
                 VIR_DEBUG("Deregistering to relay remote events %zu", i);
@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)
         }
 
         virConnectClose(priv->conn);
+
+        virIdentitySetCurrent(NULL);
+        virObjectUnref(sysident);
     }
 
     VIR_FREE(priv);