Re: [libvirt] [PATCH] daemon: Fix crash in virTypedParameterArrayClear

>> On 2012年07月30日 19:55, Jiri Denemark wrote: >>> Daemon uses the following pattern when dispatching APIs with typed >>> parameters: >>> >>> VIR_ALLOC_N(params, nparams); >>> virDomain*(dom, params,&nparams, flags); >>> virTypedParameterArrayClear(params, nparams); >>> >>> In case nparams was originally set to 0, virDomain* API would fill it >>> with the number of typed parameters it can provide and we would use this >>> number (rather than zero) to clear params. Because VIR_ALLOC* returns >>> non-NULL pointer even if size is 0, the code would end up walking >>> through random memory. If we were lucky enough and the memory contained >>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a >>> random pointer and crash. >>> >>> Let's make sure params stays NULL when nparams is 0. >>> Makes sense, ACK.