Re: [libvirt] [PATCH] daemon: Fix crash in virTypedParameterArrayClear

On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote: >>> On 2012年07月30日 19:55, Jiri Denemark wrote: >>>> Daemon uses the following pattern when dispatching APIs with typed >>>> parameters: >>>> >>>> VIR_ALLOC_N(params, nparams); >>>> virDomain*(dom, params,&nparams, flags); >>>> virTypedParameterArrayClear(params, nparams); >>>> >>>> In case nparams was originally set to 0, virDomain* API would fill it >>>> with the number of typed parameters it can provide and we would use this >>>> number (rather than zero) to clear params. Because VIR_ALLOC* returns >>>> non-NULL pointer even if size is 0, the code would end up walking >>>> through random memory. If we were lucky enough and the memory contained >>>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a >>>> random pointer and crash. >>>> >>>> Let's make sure params stays NULL when nparams is 0. >>>> > Makes sense, ACK. Pushed, thanks.