On 06/01/2010 04:03 PM, Eric Blake wrote:
> On 06/01/2010 01:10 PM, Cole Robinson wrote:
>> If VM startup fails early enough (can't find a referenced USB device),
>> libvirtd will crash trying to clear the VNC port bit, since port = 0,
>> which overflows us out of the bitmap bounds.
>>
>> Fix this by being more defensive in the bitmap operations, and only
>> clearing a previously set VNC port.
>>
>> +++ b/src/util/bitmap.c
>> @@ -118,7 +118,7 @@ int virBitmapSetBit(virBitmapPtr bitmap, size_t b)
>> */
>> int virBitmapClearBit(virBitmapPtr bitmap, size_t b)
>> {
>> - if (b > bitmap->size - 1)
>> + if (bitmap->size != 0 && b > bitmap->size - 1)
>
> I think this could use a v2: virBitmapSetBit and virBitmapGetBit should
> get the same treatment for bounds checking.
>
> Meanwhile, we already reject attempts to create a bitmap with SIZE_MAX
> bits. Therefore, since b is unsigned, we can safely avoid the && and
> instead do the computation via a single comparison:
>
> if (bitmap->size <= b)
> return -1;
>
> For that matter, should virBitmapAlloc(0) return NULL, instead of it's
> current behavior of allocating an (empty) bitmap?
>
Thanks, simplified that check and applied it to the other bitmap
functions. Updated patch sent.
- Cole
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list