[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] tools/xenstored: control: Store the save filename in lu_dump_state



commit 11d9933f6bf0cdb69cdd82c5ad2213fcbe73502f
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Thu Feb 25 16:33:23 2021 +0000
Commit:     Julien Grall <jgrall@xxxxxxxxxx>
CommitDate: Fri Feb 26 09:46:12 2021 +0000

    tools/xenstored: control: Store the save filename in lu_dump_state
    
    The function lu_close_dump_state() will use talloc_asprintf() without
    checking whether the allocation succeeded. In the unlikely case we are
    out of memory, we would dereference a NULL pointer.
    
    As we already computed the filename in lu_get_dump_state(), we can store
    the name in the lu_dump_state. This is avoiding to deal with memory file
    in the close path and also reduce the risk to use the different
    filename.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Fixes: c0dc6a3e7c41 ("tools/xenstore: read internal state when doing live 
upgrade")
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
    Release-Acked-by: Ian Jackson <iwj@xxxxxxxxxxxxxx>
---
 tools/xenstore/xenstored_control.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tools/xenstore/xenstored_control.c 
b/tools/xenstore/xenstored_control.c
index 8eb5782776..653890f2d9 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -16,6 +16,7 @@ Interactive commands for Xen Store Daemon.
     along with this program; If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include <assert.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdarg.h>
@@ -74,6 +75,7 @@ struct lu_dump_state {
        unsigned int size;
 #ifndef __MINIOS__
        int fd;
+       char *filename;
 #endif
 };
 
@@ -399,17 +401,16 @@ static void lu_dump_close(FILE *fp)
 
 static void lu_get_dump_state(struct lu_dump_state *state)
 {
-       char *filename;
        struct stat statbuf;
 
        state->size = 0;
 
-       filename = talloc_asprintf(NULL, "%s/state_dump", xs_daemon_rootdir());
-       if (!filename)
+       state->filename = talloc_asprintf(NULL, "%s/state_dump",
+                                         xs_daemon_rootdir());
+       if (!state->filename)
                barf("Allocation failure");
 
-       state->fd = open(filename, O_RDONLY);
-       talloc_free(filename);
+       state->fd = open(state->filename, O_RDONLY);
        if (state->fd < 0)
                return;
        if (fstat(state->fd, &statbuf) != 0)
@@ -431,14 +432,13 @@ static void lu_get_dump_state(struct lu_dump_state *state)
 
 static void lu_close_dump_state(struct lu_dump_state *state)
 {
-       char *filename;
+       assert(state->filename != NULL);
 
        munmap(state->buf, state->size);
        close(state->fd);
 
-       filename = talloc_asprintf(NULL, "%s/state_dump", xs_daemon_rootdir());
-       unlink(filename);
-       talloc_free(filename);
+       unlink(state->filename);
+       talloc_free(state->filename);
 }
 
 static char *lu_exec(const void *ctx, int argc, char **argv)
--
generated by git-patchbot for /home/xen/git/xen.git#master



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.