libxl: Do not trust frontend for nic in libxl_devid_to_device_nic

Find the backend by reading the pointer in /libxl rather than in the
guest's frontend area.

This is part of XSA-175.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 3c8ed64e140678a92b993d7fe16ac397d4bd8af4..aa6b33de94e03497dcd15424fdadf9136352b1b4 100644 (file)
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -3629,16 +3629,16 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
                               int devid, libxl_device_nic *nic)
 {
     GC_INIT(ctx);
-    char *dompath, *path;
+    char *libxl_dom_path, *path;
     int rc = ERROR_FAIL;
 
     libxl_device_nic_init(nic);
-    dompath = libxl__xs_get_dompath(gc, domid);
-    if (!dompath)
+    libxl_dom_path = libxl__xs_libxl_path(gc, domid);
+    if (!libxl_dom_path)
         goto out;
 
     path = libxl__xs_read(gc, XBT_NULL,
-                          GCSPRINTF("%s/device/vif/%d/backend", dompath,
+                          GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path,
                                     devid));
     if (!path)
         goto out;