From f83cb080a62d83c220d0a7deb44977601d50de56 Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Fri, 25 Nov 2011 13:52:08 +0100 Subject: [PATCH 07/11] acl: Fix use after free in qemu_acl_reset() RH-Author: Markus Armbruster Message-id: <1322229128-5621-1-git-send-email-armbru@redhat.com> Patchwork-id: 35448 O-Subject: [RHEL-6.3 PATCH qemu-kvm] acl: Fix use after free in qemu_acl_reset() Bugzilla: 749820 RH-Acked-by: Jeffrey Cody RH-Acked-by: Laszlo Ersek RH-Acked-by: Paul Moore Reproducer: $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...] QEMU 0.15.50 monitor - type 'help' for more information (qemu) acl_add vnc.username fred allow acl: added rule at position 1 (qemu) acl_reset vnc.username Segmentation fault (core dumped) Spotted by Coverity. Signed-off-by: Markus Armbruster Signed-off-by: Stefan Hajnoczi (cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696) --- Bug 749820 brew: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=3851960 acl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Signed-off-by: Michal Novotny --- acl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/acl.c b/acl.c index 311dade..0f6887c 100644 --- a/acl.c +++ b/acl.c @@ -96,13 +96,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl, void qemu_acl_reset(qemu_acl *acl) { - qemu_acl_entry *entry; + qemu_acl_entry *entry, *next_entry; /* Put back to deny by default, so there is no window * of "open access" while the user re-initializes the * access control list */ acl->defaultDeny = 1; - QTAILQ_FOREACH(entry, &acl->entries, next) { + QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) { QTAILQ_REMOVE(&acl->entries, entry, next); free(entry->match); free(entry); -- 1.7.7.3