From mboxrd@z Thu Jan 1 00:00:00 1970 From: Konrad Rzeszutek Wilk Subject: Re: [PATCH for-4.5 2/3] python/xc: Fix multiple issues in pyxc_readconsolering() Date: Mon, 1 Dec 2014 16:14:56 -0500 Message-ID: <20141201211456.GH22021@laptop.dumpdata.com> References: <1417091674-8163-1-git-send-email-andrew.cooper3@citrix.com> <1417091674-8163-3-git-send-email-andrew.cooper3@citrix.com> <1417174732.23604.13.camel@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1417174732.23604.13.camel@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: Andrew Cooper , Wei Liu , Ian Jackson , Xen Coverity Team , Xen-devel List-Id: xen-devel@lists.xenproject.org On Fri, Nov 28, 2014 at 11:38:52AM +0000, Ian Campbell wrote: > On Thu, 2014-11-27 at 12:34 +0000, Andrew Cooper wrote: > > Don't leak a 16k allocation if PyArg_ParseTupleAndKeywords() or the first > > xc_readconsolering() fail. It is trivial to run throught the processes memory > > by repeatedly passing junk parameters to this function. > > > > In the case that the call to xc_readconsolering() in the while loop fails, > > reinstate str before breaking out, and passing a spurious pointer to free(). > > > > Signed-off-by: Andrew Cooper > > Coverity-IDs: 1054984 1055906 > > CC: Ian Campbell > > CC: Ian Jackson > > CC: Wei Liu > > CC: Xen Coverity Team > > Acked-by: Ian Campbell Release-Acked-by: Konrad Rzeszutek Wilk > > > --- > > tools/python/xen/lowlevel/xc/xc.c | 13 ++++++------- > > 1 file changed, 6 insertions(+), 7 deletions(-) > > > > diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c > > index c70b388..2aa0dc7 100644 > > --- a/tools/python/xen/lowlevel/xc/xc.c > > +++ b/tools/python/xen/lowlevel/xc/xc.c > > @@ -1089,7 +1089,7 @@ static PyObject *pyxc_readconsolering(XcObject *self, > > { > > unsigned int clear = 0, index = 0, incremental = 0; > > unsigned int count = 16384 + 1, size = count; > > - char *str = malloc(size), *ptr; > > + char *str, *ptr; > > PyObject *obj; > > int ret; > > > > @@ -1097,15 +1097,17 @@ static PyObject *pyxc_readconsolering(XcObject *self, > > > > if ( !PyArg_ParseTupleAndKeywords(args, kwds, "|iii", kwd_list, > > &clear, &index, &incremental) || > > - !str ) > > + !(str = malloc(size)) ) > > return NULL; > > > > ret = xc_readconsolering(self->xc_handle, str, &count, clear, > > incremental, &index); > > - if ( ret < 0 ) > > + if ( ret < 0 ) { > > + free(str); > > return pyxc_error_to_exception(self->xc_handle); > > + } > > > > - while ( !incremental && count == size ) > > + while ( !incremental && count == size && ret >= 0 ) > > { > > size += count - 1; > > if ( size < count ) > > @@ -1119,9 +1121,6 @@ static PyObject *pyxc_readconsolering(XcObject *self, > > count = size - count; > > ret = xc_readconsolering(self->xc_handle, str, &count, clear, > > 1, &index); > > - if ( ret < 0 ) > > - break; > > - > > count += str - ptr; > > str = ptr; > > } > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel