On Wed, Mar 21, 2007 at 03:09:09PM +0000, Daniel P. Berrange wrote: > The new bufferContentAndFree() method used for the QEMU daemon rellocs the > buffer size down to release memory held by the buffer which was never used > for any data. Unfortunately it reallocs it 1 byte too small, so later uses > of strlen()/strcpy() either magically work, or randomly append gargage or > crash the daemon depending on the phase of the moon :-) Re-allocing the > buffer to relase a few bytes memory isn't really an optimization since the > caller is going to free the entire block a very short while later, so this > patch simply removes the realloc call. Okay, please commit :-) > As an aside, the virBuffer functions in src/xml.c and the buffer functions > in qemud/buf.c are both flawed wrt to the way they call the Grow method. > The method expects the len parameter to be extra bytes needed, but several > of the callers pass in the total desired length, so it allocates too much > memory. There are various other non-fatal flaws which need to be cleaned > up in this code, but the attached patch just focuses on the current fatal > buffer overflow for now. Okay, I fixed the problems, commited in CVS, I also clarified the documentationof those routines. Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@xxxxxxxxxx | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/