From e75ecdea85ff23d916420ec299753e31c5610f47 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ian.campbell@citrix.com>
Date: Tue, 11 Sep 2012 14:06:54 +0200
Subject: [PATCH] tmem: check the pool_id is valid when destroying a tmem pool

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/common/tmem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 5f27ff019f..835c257e5f 100644
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id)
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;
-- 
2.30.2