|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] x86/hvm/ioreq: fix out of bounds access in error path
It is possible to call the error path with i pointing beyond the end
of the array.
There is another bug that if there is already a default ioreq server,
the code will actually sets the element to NULL, hence leaking memory.
Move setting NULL to where it is needed.
Coverity-ID: 1433777
Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Cc: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
xen/arch/x86/hvm/ioreq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 9435291e87..2275278305 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -811,7 +811,10 @@ int hvm_create_ioreq_server(struct domain *d, bool
is_default,
rc = hvm_ioreq_server_init(s, d, bufioreq_handling, i);
if ( rc )
+ {
+ set_ioreq_server(d, i, NULL);
goto fail;
+ }
if ( i == DEFAULT_IOSERVID )
hvm_ioreq_server_enable(s);
@@ -825,8 +828,6 @@ int hvm_create_ioreq_server(struct domain *d, bool
is_default,
return 0;
fail:
- set_ioreq_server(d, i, NULL);
-
spin_unlock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
domain_unpause(d);
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |