virFDStreamClose used a mutex after it was freed, and failed
to destroy that mutex on its last use.
* src/fdstream.c (virFDStreamFree): Inline into sole caller...
(virFDStreamClose): ...to avoid use-after-free and leak.
Reported by Matthias Bolte.
---
src/fdstream.c | 34 ++++++++++++++--------------------
1 files changed, 14 insertions(+), 20 deletions(-)
diff --git a/src/fdstream.c b/src/fdstream.c
index 2702ad7..e19694f 100644
--- a/src/fdstream.c
+++ b/src/fdstream.c
@@ -210,9 +210,20 @@ cleanup:
return ret;
}
-static int virFDStreamFree(struct virFDStreamData *fdst)
+
+static int
+virFDStreamClose(virStreamPtr st)
{
+ struct virFDStreamData *fdst = st->privateData;
int ret;
+
+ VIR_DEBUG("st=%p", st);
+
+ if (!fdst)
+ return 0;
+
+ virMutexLock(&fdst->lock);
+
ret = VIR_CLOSE(fdst->fd);
if (fdst->cmd) {
char buf[1024];
@@ -243,29 +254,12 @@ static int virFDStreamFree(struct virFDStreamData *fdst)
}
virCommandFree(fdst->cmd);
}
- VIR_FREE(fdst);
- return ret;
-}
-
-
-static int
-virFDStreamClose(virStreamPtr st)
-{
- struct virFDStreamData *fdst = st->privateData;
- int ret;
-
- VIR_DEBUG("st=%p", st);
-
- if (!fdst)
- return 0;
-
- virMutexLock(&fdst->lock);
-
- ret = virFDStreamFree(fdst);
st->privateData = NULL;
virMutexUnlock(&fdst->lock);
+ virMutexDestroy(&fdst->lock);
+ VIR_FREE(fdst);
return ret;
}
--
1.7.4.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list