From: Julien GralL Date: Thu, 24 Jun 2021 11:15:49 +0000 (+0100) Subject: tools/xenstored: Don't crash xenstored when Live-Update is cancelled X-Git-Tag: archive/raspbian/4.16.0+51-g0941d6cb-1+rpi1~2^2~42^2~402 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=90bafdba8ebf41c9af31b5c725a938da2a75d292;p=xen.git tools/xenstored: Don't crash xenstored when Live-Update is cancelled As Live-Update is asynchronous, it is possible to receive a request to cancel it (either on the same connection or from a different one). Currently, this will crash xenstored because do_lu_start() assumes lu_status will be valid. This is not the case when Live-Update has been cancelled. This will result to dereference a NULL pointer and crash Xenstored. Rework do_lu_start() to check if lu_status is NULL and return an error in this case. Fixes: af216a99fb ("tools/xenstore: add the basic framework for doing the live update") Signed-off-by: Julien Grall Reviewed-by: Luca Fancellu Reviewed-by: Juergen Gross --- diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c index a045f102a4..a1b1bd5a71 100644 --- a/tools/xenstore/xenstored_control.c +++ b/tools/xenstore/xenstored_control.c @@ -696,7 +696,18 @@ static bool do_lu_start(struct delayed_request *req) time_t now = time(NULL); const char *ret; struct buffered_data *saved_in; - struct connection *conn = lu_status->conn; + struct connection *conn = req->data; + + /* + * Cancellation may have been requested asynchronously. In this + * case, lu_status will be NULL. + */ + if (!lu_status) { + ret = "Cancellation was requested"; + goto out; + } + + assert(lu_status->conn == conn); if (!lu_check_lu_allowed()) { if (now < lu_status->started_at + lu_status->timeout) @@ -747,7 +758,7 @@ static const char *lu_start(const void *ctx, struct connection *conn, lu_status->timeout = to; lu_status->started_at = time(NULL); - errno = delay_request(conn, conn->in, do_lu_start, NULL, false); + errno = delay_request(conn, conn->in, do_lu_start, conn, false); return NULL; }