[libvirt] [PATCH] virsh: Fix segfault of snapshot-list
"snaps" is used after free'ed, and the additional one entry should be added to the list. --- tools/virsh-snapshot.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/virsh-snapshot.c b/tools/virsh-snapshot.c index 6dd8bf2..635edd8 100644 --- a/tools/virsh-snapshot.c +++ b/tools/virsh-snapshot.c @@ -856,9 +856,6 @@ vshSnapshotListCollect(vshControl *ctl, virDomainPtr dom, snaplist->snaps = vshCalloc(ctl, count + (tree && from), sizeof(*snaplist->snaps)); snaplist->nsnaps = count; - for (i = 0; i < count; i++) - snaplist->snaps[i].snap = snaps[i]; - VIR_FREE(snaps); if (tree) { for (i = 0; i < count; i++) { if (vshGetSnapshotParent(ctl, snaplist->snaps[i].snap, @@ -870,6 +867,9 @@ vshSnapshotListCollect(vshControl *ctl, virDomainPtr dom, virDomainSnapshotRef(from); } } + for (i = 0; i < snaplist->nsnaps; i++) + snaplist->snaps[i].snap = snaps[i]; + VIR_FREE(snaps); goto success; } -- 1.7.7.6
On 10/22/12 16:04, Osier Yang wrote:
"snaps" is used after free'ed, and the additional one entry should be added to the list. --- tools/virsh-snapshot.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/virsh-snapshot.c b/tools/virsh-snapshot.c index 6dd8bf2..635edd8 100644 --- a/tools/virsh-snapshot.c +++ b/tools/virsh-snapshot.c @@ -856,9 +856,6 @@ vshSnapshotListCollect(vshControl *ctl, virDomainPtr dom, snaplist->snaps = vshCalloc(ctl, count + (tree && from), sizeof(*snaplist->snaps)); snaplist->nsnaps = count; - for (i = 0; i < count; i++) - snaplist->snaps[i].snap = snaps[i]; - VIR_FREE(snaps); if (tree) { for (i = 0; i < count; i++) { if (vshGetSnapshotParent(ctl, snaplist->snaps[i].snap,
The fix isn't 100% correct. Here vshGetSnapshotParent expects the snaplist to be populated. A few lines behind this context, if (from) { snaps[snaplist->nsnaps++] = from; This line needs to be changed to access snaplist instead of snaps. virDomainSnapshotRef(from); } Peter
participants (2)
-
Osier Yang -
Peter Krempa