On 4/8/19 1:35 PM, Roman Bogorodskiy wrote:
> Eric Blake wrote:
>
>> Commit b647d2195 introduced a use-after-free situation when the caller
>> is trying to delete a snapshot and its children: if the callback
>>
>> Fixes: b647d2195
>> Reported-by: Roman Bogorodskiy <bogorodskiy@xxxxxxxxx>
>> Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
>> ---
>> src/conf/virdomainmomentobjlist.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/conf/virdomainmomentobjlist.c b/src/conf/virdomainmomentobjlist.c
>> index 65e82f632c..66eb66017b 100644
>> --- a/src/conf/virdomainmomentobjlist.c
>> +++ b/src/conf/virdomainmomentobjlist.c
>> @@ -80,9 +80,11 @@ virDomainMomentActOnDescendant(void *payload,
>> {
>> virDomainMomentObjPtr obj = payload;
>> struct moment_act_on_descendant *curr = data;
>> + virDomainMomentObj tmp = *obj;
>>
>> + /* Careful: curr->iter can delete obj, hence the need for tmp */
>> (curr->iter)(payload, name, curr->data);
>> - curr->number += 1 + virDomainMomentForEachDescendant(obj,
>> + curr->number += 1 + virDomainMomentForEachDescendant(&tmp,
>> curr->iter,
>> curr->data);
>> return 0;
>
> This fixes the problem for me, thanks.
> The change itself looks reasonable to me, but I'm not familiar with the code
> enough to go with Reviewed-by I guess.
Well, Tested-by is better than nothing; so I've gone ahead and pushed
it. Thanks for checking that it works :)
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
