On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote: > >> On 2012年07月30日 19:55, Jiri Denemark wrote: > >>> Daemon uses the following pattern when dispatching APIs with typed > >>> parameters: > >>> > >>> VIR_ALLOC_N(params, nparams); > >>> virDomain*(dom, params,&nparams, flags); > >>> virTypedParameterArrayClear(params, nparams); > >>> > >>> In case nparams was originally set to 0, virDomain* API would fill it > >>> with the number of typed parameters it can provide and we would use this > >>> number (rather than zero) to clear params. Because VIR_ALLOC* returns > >>> non-NULL pointer even if size is 0, the code would end up walking > >>> through random memory. If we were lucky enough and the memory contained > >>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a > >>> random pointer and crash. > >>> > >>> Let's make sure params stays NULL when nparams is 0. > >>> > Makes sense, ACK. Pushed, thanks. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list