[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

From: Julien Grall <jgrall@xxxxxxxxxx>

In case of failure in do_lu_start(), XenStored will first free lu_start
and then try to dereference it.

This will result to a NULL dereference as the destruction callback will
set lu_start to NULL.

The crash can be avoided by freeing lu_start *after* the reply has been

Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the 
live update")
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>


This is a bug fix candidate for 4.15. The easiest way to trigger it is
to have a XTF test that starts a transaction but never terminates it.

In this case, live-updating would fail and trigger a crash.
 tools/xenstore/xenstored_control.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/xenstore/xenstored_control.c 
index 653890f2d9e0..766b2438396a 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -657,9 +657,8 @@ static bool do_lu_start(struct delayed_request *req)
        /* We will reach this point only in case of failure. */
-       talloc_free(lu_status);
        send_reply(lu_status->conn, XS_CONTROL, ret, strlen(ret) + 1);
+       talloc_free(lu_status);
        return true;



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.