On 09/24/2013 06:04 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
>
> The 'qemuStringToArgvEnv' method splits up a string of command
> line env/args to an 'arglist' array. It then copies env vars
> to a 'progenv' array and args to a 'progargv' array. When
> copyin the env vars, it NULL-ifies the element in 'arglist'
> that is copied.
>
> Upon OOM the 'virStringListFree' is called on progenv and
> arglist. Unfortunately, because the elements in 'arglist'
> related to env vars have been set to NULL, the call to
> virStringListFree(arglist) doesn't free anything, even
> though some non-NULL args vars still exist later in the
> array.
>
> To fix this leak, stop NULL-ifying the 'arglist' elements,
> and change the cleanup code to only free elements in the
> 'arglist' array, not 'progenv'.
>
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
> src/qemu/qemu_command.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index fe53cf7..7029335 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -9724,10 +9724,8 @@ static int qemuStringToArgvEnv(const char *args,
> if (envend > 0) {
> if (VIR_REALLOC_N(progenv, envend+1) < 0)
> goto error;
> - for (i = 0; i < envend; i++) {
> + for (i = 0; i < envend; i++)
> progenv[i] = arglist[i];
> - arglist[i] = NULL;
> - }
> progenv[i] = NULL;
> }
>
> @@ -9746,7 +9744,8 @@ static int qemuStringToArgvEnv(const char *args,
> return 0;
>
> error:
> - virStringFreeList(progenv);
> + VIR_FREE(progenv);
> + VIR_FREE(progargv);
We don't jump to error after progargv is allocated, but it doesn't hurt.
> virStringFreeList(arglist);
> return -1;
> }
>
ACK
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list