On 10/24/2014 01:01 PM, Shanzhi Yu wrote:
When split uri->scheme into two strings with "+", the
second one will be
s/split/splitting/
"rdma://server/..", pass it to
virStorageNetHostTransportTypeFromString
will lead libvirtd crash. So a second virStringSplit call is needed.
Can you show the FULL string that is being passed into this function,
and not just the string after the first split on '+'? That is, showing
an easy formula of how to reproduce the bug makes it easier to know if
the solution is right.
You have to assume that not everyone will click through this link.
Signed-off-by: Shanzhi Yu <shyu(a)redhat.com>
---
src/util/virstoragefile.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index 960aa23..795c188 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2144,6 +2144,9 @@ virStorageSourceParseBackingURI(virStorageSourcePtr src,
goto cleanup;
}
+ if (!(scheme = virStringSplit(scheme[1], ":", 2)))
Ouch. Memory leak. You are overwriting the contents of malloc'd scheme
with a new pointer. You'll need to send a v2.
+ goto cleanup;
+
if (scheme[1] &&
(src->hosts->transport =
virStorageNetHostTransportTypeFromString(scheme[1])) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org