diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2013-09-03 16:52:06 +0100 |
---|---|---|
committer | Eric Blake <eblake@redhat.com> | 2013-09-18 15:08:35 -0600 |
commit | a413bc2dda06f47c2ec90ec924dbceb9dd0bbf97 (patch) | |
tree | bd77ded5d2d78672a38cb9196c45ce07eddcfa53 | |
parent | c7df5ed8d81193345d104234113c29e96e1a4e01 (diff) | |
download | libvirt-a413bc2dda06f47c2ec90ec924dbceb9dd0bbf97.tar.gz |
Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.
This was introduced in release v0.9.1 onwards by
commit 158ba8730e44b7dd07a21ab90499996c5dec080a
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Apr 13 16:21:35 2011 +0100
Merge all returns paths from dispatcher into single path
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)
Conflicts:
daemon/remote.c - context
-rw-r--r-- | daemon/remote.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/daemon/remote.c b/daemon/remote.c index 6bb3a25502..afd7bc1636 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1165,7 +1165,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED, remote_domain_memory_stats_ret *ret) { virDomainPtr dom = NULL; - struct _virDomainMemoryStat *stats; + struct _virDomainMemoryStat *stats = NULL; int nr_stats, i; int rv = -1; struct daemonClientPrivate *priv = |