On 02/10/2017 02:06 PM, John Ferlan wrote: > If either the "if (STRPREFIX(mem_tokens[j], "max:"))" is never entered > or the "if (virStrToLong_ull(mem_tokens[j] + 4, &p, 10, maxmem) < 0)" break > is hit, control goes back to the outer loop processing 'cmd_tokens' and > it's possible that the 'mem_tokens' would be overwritten. > > Found by Coverity > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > > Of course this is what led me down the path of the recently sent virusbmock > patch... > > src/libxl/libxl_conf.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c > index 6ce2e0a..f5b788b 100644 > --- a/src/libxl/libxl_conf.c > +++ b/src/libxl/libxl_conf.c > @@ -1622,6 +1622,7 @@ libxlDriverGetDom0MaxmemConf(libxlDriverConfigPtr cfg, > goto cleanup; > } > } > + virStringListFree(mem_tokens); > } > > physmem: > This will work. The other possible location is just before: if (!(mem_tokens = virStringSplit(cmd_tokens[i], ",", 0))) line. ACK Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
