Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching

On 01/28/2013 11:35 AM, Peter Krempa wrote: > When reading and dispatching of a message failed the message was freed > but wasn't removed from the message queue. > > After that when the connection was about to be closed the pointer for > the message was still present in the queue and it was passed to > virNetMessageFree which tried to call the callback function from an > uninitialized pointer. > > This patch removes the message from the queue before it's freed. Mention CVE-2013-0170 in the commit message, now that it is public: https://bugzilla.redhat.com/show_bug.cgi?id=893450 > > * rpc/virnetserverclient.c: virNetServerClientDispatchRead: > - avoid use after free of RPC messages > --- > src/rpc/virnetserverclient.c | 3 +++ > 1 file changed, 3 insertions(+) ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.