On Tue, Feb 19, 2019 at 03:40:31PM +0800, Jay Zhou wrote:
From: Jing Wu <wujing42@xxxxxxxxxx> Some functions like doCoreDump call virFileWrapperFdNew to execute async cmds, if a step after virFileWrapperFdNew failed, the func may skip virFileWrapperFdClose and jump to cleanup label to call virFileWrapperFdFree directly.
Wouldn't the proper fix be to always call virFileWrapperFdClose? See this series by Andrea: https://www.redhat.com/archives/libvir-list/2019-February/msg01155.html
If the child process of the cmd is running and asyncioThread is polling, cmd->errbuf have been alloced at least one byte but not yet operate (*cmd->errbuf)[errlen] = '\0', access of wfd->err_msg in virFileWrapperFdFree at this time will cause risk of heap-buffer-overflow.
So, we need to put VIR_WARN(wfd->err_msg) after VIR_FREE(wfd->err_msg).
This sentence does not make sense - why would we access the error after freeing it? Jano
Besides, since virCommandFree has included virCommandAbort, there is no need to call virCommandAbort extraly. Signed-off-by: Jing Wu <wujing42@xxxxxxxxxx> Signed-off-by: Jay Zhou <jianjay.zhou@xxxxxxxxxx> --- src/util/virfile.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
