Passing a NULL "models" pointer along with a
contradictory "nmodels >= 1" would cause a NULL-dereference.
An alternative to the fix below would be simply to guard
the NULL-derferencing strcmp with "if (models ...",
but that wouldn't tell the caller that they're passing
bogus arguments.
From f57bd1fbe7a41b1b9d8ba1be61790e95b5060ddc Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering(a)redhat.com>
Date: Tue, 26 Jan 2010 19:58:48 +0100
Subject: [PATCH] cpu_x86.c: avoid NULL-deref for invalid arguments
* src/cpu/cpu_x86.c (x86Decode): Do not dereference NULL
when "models" is NULL and nmodels is 1 or greater.
---
src/cpu/cpu_x86.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
index dae7c90..47dc400 100644
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@@ -1,7 +1,7 @@
/*
* cpu_x86.c: CPU driver for CPUs with x86 compatible CPUID instruction
*
- * Copyright (C) 2009 Red Hat, Inc.
+ * Copyright (C) 2009-2010 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -954,6 +954,9 @@ x86Decode(virCPUDefPtr cpu,
if (data == NULL || (map = x86LoadMap()) == NULL)
return -1;
+ if (models == NULL && nmodels != 0)
+ return -1;
+
candidate = map->models;
while (candidate != NULL) {
bool allowed = (models == NULL);
--
1.7.0.rc0.140.gfbe7