Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching

On 01/28/13 19:58, Eric Blake wrote: > On 01/28/2013 11:35 AM, Peter Krempa wrote: >> When reading and dispatching of a message failed the message was freed >> but wasn't removed from the message queue. >> >> After that when the connection was about to be closed the pointer for >> the message was still present in the queue and it was passed to >> virNetMessageFree which tried to call the callback function from an >> uninitialized pointer. >> >> This patch removes the message from the queue before it's freed. > > Mention CVE-2013-0170 in the commit message, now that it is public: > https://bugzilla.redhat.com/show_bug.cgi?id=893450 > >> >> * rpc/virnetserverclient.c: virNetServerClientDispatchRead: >> - avoid use after free of RPC messages >> --- >> src/rpc/virnetserverclient.c | 3 +++ >> 1 file changed, 3 insertions(+) > > ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. Thanks. I added the CVE notice and pushed to upstream and the v0.10.2 and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was introduced in 0.9.7