>On 09/26/2017 03:54 PM, ZhiPeng Lu wrote:
>> In learnIPAddressThread()the @inetaddr may be leaked.
>> 
> Signed-off-by: ZhiPeng Lu <lu.zhipeng@zte.com.cn>
> ---
>  src/nwfilter/nwfilter_learnipaddr.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

> diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
> index cfd92d9..5dc212e 100644
> --- a/src/nwfilter/nwfilter_learnipaddr.c
> +++ b/src/nwfilter/nwfilter_learnipaddr.c
> @@ -625,6 +625,7 @@ learnIPAddressThread(void *arg)
>              if (virNWFilterIPAddrMapAddIPAddr(req->ifname, inetaddr) < 0) {
>>                  VIR_ERROR(_("Failed to add IP address %s to IP address "
>>                            "cache for interface %s"), inetaddr, req->ifname);
>> +                VIR_FREE(inetaddr);
>>              }
>>  
>>              ret = virNWFilterInstantiateFilterLate(req->driver,
>> @@ -636,7 +637,8 @@ learnIPAddressThread(void *arg)
>>                                                     req->filtername,
>>                                                     req->filterparams);
>>              VIR_DEBUG("Result from applying firewall rules on "
>> -                      "%s with IP addr %s : %d", req->ifname, inetaddr, ret);
>> +                      "%s with IP addr %s : %d", req->ifname, NULLSTR(inetaddr), ret);> +

>Still not quite right... VIR_FREE() only happens if
>virNWFilterIPAddrMapAddIPAddr() < 0.

>Not sure what the purpose of a VIR_FREE in the upper condition and then
>NULLSTR() below would be...  We're still calling
>virNWFilterInstantiateFilterLate regardless and still want the VIR_DEBUG
>printed.

>Perhaps just a VIR_FREE() after the VIR_DEBUG would seem to be
>sufficient since there's no escape clause.  The VIR_ERROR may help us
>understand why/if ret != 0 though... I didn't put much thought into that
>though.


we can't free inetaddr if  virNWFilterIPAddrMapAddIPAddr() ==0 because it is used by ipAddressMap.

So i  free inetaddr  only if virNWFilterIPAddrMapAddIPAddr < 0.


I will add a variable to save the return value  of virNWFilterIPAddrMapAddIPAddr.

   Free  inetaddr if virNWFilterIPAddrMapAddIPAddr< 0    after VIR_ERROR print.






为了让您的VPlat虚拟机故障和docker故障得到高效的处理,请上报故障到: $VPlat技术支持。

芦志朋 luzhipeng


IT开发工程师 IT Development Engineer
操作系统产品部/中心研究院/系统产品 OS Product Dept./Central R&D Institute/System Product



四川省成都市天府大道中段800号
E: lu.zhipeng@zte.com.cn
www.zte.com.cn
原始邮件
发件人: <jferlan@redhat.com>;
收件人:芦志朋10108272; <libvir-list@redhat.com>;
日 期 :2017年09月27日 07:46
主 题 :Re: [libvirt] [PATCH v2] nwfilter: Don't leak @inetaddr




On 09/26/2017 03:54 PM, ZhiPeng Lu wrote:
> In learnIPAddressThread()the @inetaddr may be leaked.

> Signed-off-by: ZhiPeng Lu <lu.zhipeng@zte.com.cn>
> ---
>  src/nwfilter/nwfilter_learnipaddr.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

> diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
> index cfd92d9..5dc212e 100644
> --- a/src/nwfilter/nwfilter_learnipaddr.c
> +++ b/src/nwfilter/nwfilter_learnipaddr.c
> @@ -625,6 +625,7 @@ learnIPAddressThread(void *arg)
>              if (virNWFilterIPAddrMapAddIPAddr(req->ifname, inetaddr) < 0) {
>                  VIR_ERROR(_("Failed to add IP address %s to IP address "
>                            "cache for interface %s"), inetaddr, req->ifname);
> +                VIR_FREE(inetaddr);
>              }
>  
>              ret = virNWFilterInstantiateFilterLate(req->driver,
> @@ -636,7 +637,8 @@ learnIPAddressThread(void *arg)
>                                                     req->filtername,
>                                                     req->filterparams);
>              VIR_DEBUG("Result from applying firewall rules on "
> -                      "%s with IP addr %s : %d", req->ifname, inetaddr, ret);
> +                      "%s with IP addr %s : %d", req->ifname, NULLSTR(inetaddr), ret);> +

Still not quite right... VIR_FREE() only happens if
virNWFilterIPAddrMapAddIPAddr() < 0.

Not sure what the purpose of a VIR_FREE in the upper condition and then
NULLSTR() below would be...  We're still calling
virNWFilterInstantiateFilterLate regardless and still want the VIR_DEBUG
printed.

Perhaps just a VIR_FREE() after the VIR_DEBUG would seem to be
sufficient since there's no escape clause.  The VIR_ERROR may help us
understand why/if ret != 0 though... I didn't put much thought into that
though.

John

>          }
>      } else {
>          if (showError)