From aa873cb5be6c95c8a7ae95680759dcb0f90f57bb Mon Sep 17 00:00:00 2001

Message-Id: <aa873cb5be6c95c8a7ae95680759dcb0f90f57bb.1380112456.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Tue, 3 Sep 2013 16:52:06 +0100

Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats

CVE-2013-4296

The 'stats' variable was not initialized to NULL, so if some

early validation of the RPC call fails, it is possible to jump

to the 'cleanup' label and VIR_FREE an uninitialized pointer.

This is a security flaw, since the API can be called from a

readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba8730e44b7dd07a21ab90499996c5dec080a

  Author: Daniel P. Berrange <berrange@redhat.com>

  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)

---

 daemon/remote.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/remote.c b/daemon/remote.c

index b5395dd..afd9fb5 100644

--- a/daemon/remote.c

+++ b/daemon/remote.c

@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,

                                 remote_domain_memory_stats_ret *ret)

 {

     virDomainPtr dom = NULL;

-    struct _virDomainMemoryStat *stats;

+    struct _virDomainMemoryStat *stats = NULL;

     int nr_stats;

     size_t i;

     int rv = -1;

-- 

1.8.3.2