On 28.09.2016 21:38, Nehal J Wani wrote:

The NSS module shouldn't rely on custom leases database to not have entries for leases which have expired. --- tools/nss/libvirt_nss.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)

diff --git a/tools/nss/libvirt_nss.c b/tools/nss/libvirt_nss.c index 54c4a2a..57ba473 100644 --- a/tools/nss/libvirt_nss.c +++ b/tools/nss/libvirt_nss.c @@ -42,6 +42,7 @@ #include "virlease.h" #include "viralloc.h" #include "virfile.h" +#include "virtime.h"

Well, technically you just need <time.h>, but luckily we are including virtime module in our libvirt-nss archive, and virtime.h includes time.h, so I think this is just okay.

#include "virerror.h" #include "virstring.h" #include "virsocketaddr.h" @@ -114,6 +115,8 @@ findLease(const char *name, ssize_t i, nleases; leaseAddress *tmpAddress = NULL; size_t ntmpAddress = 0; + long long currtime = 0; + long long expirytime = -1;

These initializations make no sense. @currtime is rewritten right away, and @expirytime a bit later (or a an error is reported if failed to do so).

*address = NULL; *naddress = 0; @@ -161,6 +164,8 @@ findLease(const char *name, nleases = virJSONValueArraySize(leases_array); DEBUG("Read %zd leases", nleases);

+ currtime = (long long) time(NULL);

I think that we should check for an error here. And if so, properly report it.

+ for (i = 0; i < nleases; i++) { virJSONValuePtr lease; const char *lease_name; @@ -181,6 +186,16 @@ findLease(const char *name, if (STRNEQ_NULLABLE(name, lease_name)) continue;

+ if (virJSONValueObjectGetNumberLong(lease, "expiry-time", &expirytime) < 0) { + /* A lease cannot be present without expiry-time */ + ERROR("expiry-time field missing for %s", name); + goto cleanup; + } + + /* Do not report expired lease */ + if (expirytime < currtime) + continue; + DEBUG("Found record for %s", lease_name); *found = true;

Otherwise looking good. Michal