[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] tools/xenstored: control: Store the save filename in lu_dump_state
commit 11d9933f6bf0cdb69cdd82c5ad2213fcbe73502f Author: Julien Grall <jgrall@xxxxxxxxxx> AuthorDate: Thu Feb 25 16:33:23 2021 +0000 Commit: Julien Grall <jgrall@xxxxxxxxxx> CommitDate: Fri Feb 26 09:46:12 2021 +0000 tools/xenstored: control: Store the save filename in lu_dump_state The function lu_close_dump_state() will use talloc_asprintf() without checking whether the allocation succeeded. In the unlikely case we are out of memory, we would dereference a NULL pointer. As we already computed the filename in lu_get_dump_state(), we can store the name in the lu_dump_state. This is avoiding to deal with memory file in the close path and also reduce the risk to use the different filename. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: c0dc6a3e7c41 ("tools/xenstore: read internal state when doing live upgrade") Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> Reviewed-by: Juergen Gross <jgross@xxxxxxxx> Release-Acked-by: Ian Jackson <iwj@xxxxxxxxxxxxxx> --- tools/xenstore/xenstored_control.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c index 8eb5782776..653890f2d9 100644 --- a/tools/xenstore/xenstored_control.c +++ b/tools/xenstore/xenstored_control.c @@ -16,6 +16,7 @@ Interactive commands for Xen Store Daemon. along with this program; If not, see <http://www.gnu.org/licenses/>. */ +#include <assert.h> #include <ctype.h> #include <errno.h> #include <stdarg.h> @@ -74,6 +75,7 @@ struct lu_dump_state { unsigned int size; #ifndef __MINIOS__ int fd; + char *filename; #endif }; @@ -399,17 +401,16 @@ static void lu_dump_close(FILE *fp) static void lu_get_dump_state(struct lu_dump_state *state) { - char *filename; struct stat statbuf; state->size = 0; - filename = talloc_asprintf(NULL, "%s/state_dump", xs_daemon_rootdir()); - if (!filename) + state->filename = talloc_asprintf(NULL, "%s/state_dump", + xs_daemon_rootdir()); + if (!state->filename) barf("Allocation failure"); - state->fd = open(filename, O_RDONLY); - talloc_free(filename); + state->fd = open(state->filename, O_RDONLY); if (state->fd < 0) return; if (fstat(state->fd, &statbuf) != 0) @@ -431,14 +432,13 @@ static void lu_get_dump_state(struct lu_dump_state *state) static void lu_close_dump_state(struct lu_dump_state *state) { - char *filename; + assert(state->filename != NULL); munmap(state->buf, state->size); close(state->fd); - filename = talloc_asprintf(NULL, "%s/state_dump", xs_daemon_rootdir()); - unlink(filename); - talloc_free(filename); + unlink(state->filename); + talloc_free(state->filename); } static char *lu_exec(const void *ctx, int argc, char **argv) -- generated by git-patchbot for /home/xen/git/xen.git#master
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |