From: Daniel P. Berrange Date: Tue, 3 Sep 2013 15:52:06 +0000 (+0100) Subject: Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) X-Git-Tag: v1.0.5.6~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=118d26dc1fd99e0d113af364638be3e9a32f706e;p=thirdparty%2Flibvirt.git Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) The 'stats' variable was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. This is a security flaw, since the API can be called from a readonly connection which can trigger the validation checks. This was introduced in release v0.9.1 onwards by commit 158ba8730e44b7dd07a21ab90499996c5dec080a Author: Daniel P. Berrange Date: Wed Apr 13 16:21:35 2011 +0100 Merge all returns paths from dispatcher into single path Signed-off-by: Daniel P. Berrange (cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0) Conflicts: daemon/remote.c - context --- diff --git a/daemon/remote.c b/daemon/remote.c index 29ec1f52f2..9997051362 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1163,7 +1163,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED, remote_domain_memory_stats_ret *ret) { virDomainPtr dom = NULL; - struct _virDomainMemoryStat *stats; + struct _virDomainMemoryStat *stats = NULL; int nr_stats, i; int rv = -1; struct daemonClientPrivate *priv =