[libvirt] PATCH: Fix double-free in daemon after client connection drop
If a client drops a connection unexpectedly there is a possiblity of a
double free in the daemon if using SASL or TLS. This is because there
is possibility for poll() on the socket, returns POLLIN and POLLHUP/ERR
at the same time. Both the POLLIN and POLLHUP handling code will attempt
to use qemudDispatchClientFailure to mark the client as dieing, doing a
double free. It is hard to avoid this potential double-invocation of
the cleanup function, so it is preferrable to make it safe
Daniel
diff -rup libvirt-0.6.2.orig/qemud/qemud.c libvirt-0.6.2.new/qemud/qemud.c
--- libvirt-0.6.2.orig/qemud/qemud.c 2009-03-13 17:06:16.000000000 +0000
+++ libvirt-0.6.2.new/qemud/qemud.c 2009-05-28 17:58:44.000000000 +0100
@@ -1397,7 +1397,10 @@ static int qemudDispatchServer(struct qe
* jobs have finished, then clean it up elsehwere
*/
void qemudDispatchClientFailure(struct qemud_client *client) {
- virEventRemoveHandleImpl(client->watch);
+ if (client->watch != -1) {
+ virEventRemoveHandleImpl(client->watch);
+ client->watch = -1;
+ }
/* Deregister event delivery callback */
if(client->conn) {
@@ -1406,12 +1409,21 @@ void qemudDispatchClientFailure(struct q
}
#if HAVE_SASL
- if (client->saslconn) sasl_dispose(&client->saslconn);
+ if (client->saslconn) {
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ }
free(client->saslUsername);
+ client->saslUsername = NULL;
#endif
- if (client->tlssession) gnutls_deinit (client->tlssession);
- close(client->fd);
- client->fd = -1;
+ if (client->tlssession) {
+ gnutls_deinit (client->tlssession);
+ client->tlssession = NULL;
+ }
+ if (client->fd != -1) {
+ close(client->fd);
+ client->fd = -1;
+ }
}
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|