From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
When parsing the RBD hosts, it increments the 'nhosts' counter
before increasing the 'hosts' array allocation. If an OOM then
occurs when increasing the array allocation, the cleanup block
will attempt to access beyond the end of the array. Switch
to using VIR_EXPAND_N instead of VIR_REALLOC_N to protect against
this mistake
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/qemu/qemu_command.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index b20149b..f6e4ace 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -3232,9 +3232,8 @@ static int qemuAddRBDHost(virDomainDiskDefPtr disk, char *hostport)
size_t skip;
char **parts;
- disk->nhosts++;
- if (VIR_REALLOC_N(disk->hosts, disk->nhosts) < 0)
- goto error;
+ if (VIR_EXPAND_N(disk->hosts, disk->nhosts, 1) < 0)
+ return -1;
if ((port = strchr(hostport, ']'))) {
/* ipv6, strip brackets */
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list