On 02/09/2017 09:13 AM, Marc Hartmayer wrote:
After freeing the data structures we have to reset the counters to zero. This fixes a segmentation fault when virNetDevIPInfoClear is called twice (e.g. this is possible in virDomainNetDefParseXML() if virDomainNetIPInfoParseXML(...) fails with ret < 0 (this leads to the first call of 'virNetDevIPInfoClear(&def->guestIP)') and the resulting call of virDomainNetDefFree(def) in the error path of virDomainNetDefParseXML() (this leads to the second call of virNetDevIPInfoClear(&def->guestIP), and finally to the segmentation fault).
ACK, and I take full responsibility for introducing the bug :-/ (This shows the danger of believing that merely moving a chunk of code into a subordinate function that's called in place of the original code won't lead to a regression; previously it wasn't possible to call it twice on the same object, but now it is)
Signed-off-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com> Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> --- src/util/virnetdevip.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/util/virnetdevip.c b/src/util/virnetdevip.c index d159760..42fbba1 100644 --- a/src/util/virnetdevip.c +++ b/src/util/virnetdevip.c @@ -882,10 +882,12 @@ virNetDevIPInfoClear(virNetDevIPInfoPtr ip) for (i = 0; i < ip->nips; i++) VIR_FREE(ip->ips[i]); VIR_FREE(ip->ips); + ip->nips = 0;
for (i = 0; i < ip->nroutes; i++) virNetDevIPRouteFree(ip->routes[i]); VIR_FREE(ip->routes); + ip->nroutes = 0; }