Libvirt Security Notice: LSN-2012-0002
Fix crash in libvirt clearing API parameters
Lifecycle
Reported on: |
20120730 |
Published on: |
20120730 |
Fixed on: |
20120730 |
Credits
See also
Description
The libvirtd daemon code which dispatches APIs with
variable parameters, may end up walking off the end of an array
which is only one element long when a client passes an nparams
value of 0. If there is a byte with value 7 in an unfortunate
place in the heap, this may cause an attempt to free non-allocated
memory resulting in a crash
Impact
A malicious client can cause access beyond the end of an
array and potentially trigger heap corruption by free'ing
non-allocated memory.
Workaround
None possible
Affected product: libvirt
Alternative formats:
[xml] [text]