On 09/12/2012 04:44 PM, Martin Kletzander wrote:
When generating RPC protocol messages, it's strictly needed to have continuousline of numbers or RPC messages. However in case anyone tries backporting some functionality and will skip a number, there is a possibility to make the daemon segfault with newer virsh (version of the library, rpc call, etc.) even unintentionally.
The problem is that the skipped numbers will get func filled with NULLs, but there is no check whether these are set before the daemon tries to run them. This patch very simply enhances one check and fixes that. --- src/rpc/virnetserverprogram.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
Given that this fixes CVE-2012-4423, I have gone and backported it to v0.9.6-maint and v0.9.11-maint. https://bugzilla.redhat.com/show_bug.cgi?id=857135 -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org