On Fri, Oct 27, 2017 at 04:32:15PM +0000, Pawel Wieczorkiewicz wrote: > It is possible to send a zero-string message body to xenstore's > XS_CONTROL handling function. Then the number of strings is used > for an array allocation. This leads to a crash in strcmp() in a > CONTROL sub-command invocation loop. > The output of xs_count_string() should be verified and all 0 or > negative values should be rejected with an EINVAL. At least the > sub-command name must be specified. > > The xenstore crash can only be triggered from within dom0 (there > is a check in do_control() rejecting all non-dom0 requests with > an EACCES). > > Testing: reproduced with the following command: > python -c 'print 16*"\x00"' | nc -U $XENSTORED_RUNDIR/socket > > Signed-off-by: Pawel Wieczorkiewicz <wipa...@amazon.de> > Reviewed-by: Martin Pohlack <mpohl...@amazon.de>
Acked-by: Wei Liu <wei.l...@citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
