On 08/13/2015 04:18 AM, Martin Kletzander wrote:
> When parsing private domain data, there are two paths that are flawed.
> They are both error paths, just from different parts of the function.
> One of them can call free() on an uninitialized pointer. Initialization
> to NULL is enough here. The other one is a bit trickier to explain, but
> as easy as the first one to fix. We create capabilities, parse them and
> then assign them into the private data pointer inside the domain object.
> If, however, we get to fail from now on, the error path calls unrefs the
> capabilities and then, when the domain object is being cleaned,
> qemuDomainObjPrivateFree() tries to unref them as well. That causes a
> segfault. Settin the pointer to NULL upon successful addition to the
s/Settin/Setting
> private data is enough.
>
> Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
> ---
> src/qemu/qemu_domain.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
Could have been 2 patches though to fix 2 different bugs...
Good catch on the second one - that was well hidden...
John
(and I see Jan's ACK'd the whole series - so whether this gets to you in
time or not relies on the speed of email)
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index abf52c9c38fa..8fe7c75d19c9 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -627,7 +627,7 @@ qemuDomainObjPrivateXMLParse(xmlXPathContextPtr ctxt,
> {
> qemuDomainObjPrivatePtr priv = vm->privateData;
> char *monitorpath;
> - char *tmp;
> + char *tmp = NULL;
> int n;
> size_t i;
> xmlNodePtr *nodes = NULL;
> @@ -715,6 +715,7 @@ qemuDomainObjPrivateXMLParse(xmlXPathContextPtr ctxt,
> }
>
> priv->qemuCaps = qemuCaps;
> + qemuCaps = NULL;
> }
> VIR_FREE(nodes);
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list