Re: [libvirt] [PATCH] qemu_driver: avoid NULL dereference
On Mon, May 17, 2010 at 01:04:24PM +0200, Jim Meyering wrote:
The following theoretical possibility of a NULL dereference
has been in the code since April 1
(commit 6e41f30efcac08e50b21d9c943d6d27e90555951).
It's theoretical, because if that vm = NULL
statement is ever executed, the very next one,
calling virDomainObjUnlock would dereference that now-NULL "vm".
Hence, I think we can conclude the vm = NULL statement is
effectively dead code. That conclusion is in line with the
"should" in the preceding comment.
>From f88969b986a1c88985671c9d6fa9cb1dc449ed74 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering(a)redhat.com>
Date: Mon, 17 May 2010 12:10:52 +0200
Subject: [PATCH] qemu_driver: avoid NULL dereference
* src/qemu/qemu_driver.c (qemudDomainStart): After setting vm to NULL,
goto cleanup, rather than dereferencing the NULL pointer.
---
src/qemu/qemu_driver.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8f69b5a..3559e36 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6489,8 +6489,11 @@ static int qemudDomainStart(virDomainPtr dom) {
* We should still have a reference left to vm but
* one should check for 0 anyway
*/
- if (qemuDomainObjEndJob(vm) == 0)
+ if (qemuDomainObjEndJob(vm) = 0) {
vm = NULL;
+ goto cleanup;
+ }
+
virDomainObjUnlock(vm);
qemuDriverUnlock(driver);
ret = qemudDomainRestore(dom->conn, managed_save);
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|