From: Matthew Daley <mattjd@gmail.com>
To: xen-devel@lists.xen.org
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>,
Matthew Daley <mattjd@gmail.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: [PATCH 5/8] mini-os: fix use-after-free in xs_daemon_close event iteration
Date: Wed, 11 Sep 2013 02:34:19 +1200 [thread overview]
Message-ID: <1378823662-20803-6-git-send-email-mattjd@gmail.com> (raw)
In-Reply-To: <1378823662-20803-1-git-send-email-mattjd@gmail.com>
We need to get the next pointer before the freeing of the event.
Coverity-ID: 1056173
Signed-off-by: Matthew Daley <mattjd@gmail.com>
---
| 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--git a/extras/mini-os/lib/xs.c b/extras/mini-os/lib/xs.c
index a2a1220..c603d17 100644
--- a/extras/mini-os/lib/xs.c
+++ b/extras/mini-os/lib/xs.c
@@ -29,9 +29,12 @@ struct xs_handle *xs_daemon_open()
void xs_daemon_close(struct xs_handle *h)
{
int fd = _xs_fileno(h);
- struct xenbus_event *event;
- for (event = files[fd].xenbus.events; event; event = event->next)
+ struct xenbus_event *event, *next;
+ for (event = files[fd].xenbus.events; event; event = next)
+ {
+ next = event->next;
free(event);
+ }
files[fd].type = FTYPE_NONE;
}
--
1.7.10.4
next prev parent reply other threads:[~2013-09-10 14:34 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-10 14:34 [PATCH 0/8] Fixes for various minor Coverity issues Matthew Daley
2013-09-10 14:34 ` [PATCH 1/8] x86: add missing va_end to hypercall_xlat_continuation Matthew Daley
2013-09-10 14:41 ` Andrew Cooper
2013-09-10 15:02 ` Keir Fraser
2013-09-10 14:34 ` [PATCH 2/8] sched/arinc653: check for guest data transfer failures Matthew Daley
2013-09-10 14:43 ` Andrew Cooper
2013-09-10 14:50 ` George Dunlap
2013-09-10 17:35 ` Kathy Hadley
2013-09-10 19:45 ` Ian Campbell
2013-09-10 15:03 ` Keir Fraser
2013-09-10 14:34 ` [PATCH 3/8] libxl: fix use-after-free in discard_events iteration Matthew Daley
2013-09-10 14:45 ` Ian Jackson
2013-09-10 14:34 ` [PATCH 4/8] libxl: correctly handle readlink() errors Matthew Daley
2013-09-10 14:47 ` Ian Jackson
2013-09-10 14:34 ` Matthew Daley [this message]
2013-09-10 14:37 ` [PATCH 5/8] mini-os: fix use-after-free in xs_daemon_close event iteration Samuel Thibault
2013-09-10 14:34 ` [PATCH 6/8] mini-os: handle possibly overlong _nodename in init_consfront Matthew Daley
2013-09-10 14:38 ` Samuel Thibault
2013-09-10 14:34 ` [PATCH 7/8] kdd: fix free of array-typed value Matthew Daley
2013-09-10 14:41 ` Tim Deegan
2013-09-10 14:46 ` Andrew Cooper
2013-09-10 14:34 ` [PATCH 8/8] xenstored: fix possible, but unlikely, stack overflow Matthew Daley
2013-09-10 14:48 ` Andrew Cooper
2013-09-10 14:48 ` Ian Jackson
2013-09-13 12:31 ` [PATCH 0/8] Fixes for various minor Coverity issues Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1378823662-20803-6-git-send-email-mattjd@gmail.com \
--to=mattjd@gmail.com \
--cc=samuel.thibault@ens-lyon.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).