xenstored: fix use-after free bug

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 90bfd05b917b2f11ede7bb9fccad98aa74018921..b043ac45f849b926d8c55927bc964a6fe63bd991 100644 (file)
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
                        handle_event();
 
                next = list_entry(connections.next, typeof(*conn), list);
+               if (&next->list != &connections)
+                       talloc_increase_ref_count(next);
                while (&next->list != &connections) {
                        conn = next;
 
                        next = list_entry(conn->list.next,
                                          typeof(*conn), list);
+                       if (&next->list != &connections)
+                               talloc_increase_ref_count(next);
 
                        if (conn->domain) {
-                               talloc_increase_ref_count(conn);
                                if (domain_can_read(conn))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
                                if (talloc_free(conn) == 0)
                                        continue;
                        } else {
-                               talloc_increase_ref_count(conn);
                                if (FD_ISSET(conn->fd, &inset))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)