libvirtd crashes on free()ing portData for an open vswitch port if that port
was deleted. To reproduce:
ovs-vsctl del-port vnet0
virsh migrate --live kvm1 qemu+ssh://dstHost/system
Error message:
libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 ***
The problem is that virCommandRun can return an empty string in the event that
the port being queried does not exist. When this happens then we are
unconditionally overwriting a newline character at position strlen()-1. When
strlen is 0, we overwrite memory that does not belong to the string.
The fix: Only overwrite the newline if the string is not empty.
Reviewed-by: Bjoern Walk <bwalk@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
---
src/util/virnetdevopenvswitch.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
index 6780fb5..0f640d0 100644
--- a/src/util/virnetdevopenvswitch.c
+++ b/src/util/virnetdevopenvswitch.c
@@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname)
goto cleanup;
}
- /* Wipeout the newline */
- (*migrate)[strlen(*migrate) - 1] = '\0';
+ /* Wipeout the newline, if it exists */
+ if (strlen(*migrate) > 0) {
+ (*migrate)[strlen(*migrate) - 1] = '\0';
+ }
ret = 0;
cleanup:
virCommandFree(cmd);
--
1.9.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list