[libvirt] [PATCH] security: plug regression introduced in disk probe logic
Eric Blake
eblake at redhat.com
Wed Jun 1 22:25:33 UTC 2011
On 05/31/2011 05:35 PM, Eric Blake wrote:
> Regression introduced in commit d6623003 (v0.8.8) - using the
> wrong sizeof operand meant that security manager private data
> was overlaying the allowDiskFOrmatProbing member of struct
> _virSecurityManager. This reopens disk probing, which was
> supposed to be prevented by the solution to CVE-2010-2238.
>
> * src/security/security_manager.c
> (virSecurityManagerGetPrivateData): Use correct offset.
> ---
> src/security/security_manager.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index 0246dd8..833c1a2 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
>
> void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr)
> {
> - return ((char*)mgr) + sizeof(mgr);
> + return ((char*)mgr) + sizeof(*mgr);
I suppose I could have used:
return mgr + 1;
instead, since that gives the same address with less typing. Any
preferences on which form to commit?
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110601/5a11fa27/attachment-0001.sig>
More information about the libvir-list
mailing list