Commit b55cc5f4e did a shallow copy of libxl_{sdl,vnc}_info from the domain config to the build info, which resulted in double-freeing strings contained in the structures during cleanup, which later resulted in a libvirtd crash. Fix by performing a deep copy of the structure, VIR_STRDUP'ing embedded strings instead of simply copying their pointers. Fixes the following issue reported on the libvirt dev list https://www.redhat.com/archives/libvir-list/2014-August/msg01112.html Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/libxl/libxl_conf.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 1210500..1dbdd9c 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -1130,10 +1130,24 @@ libxlMakeVfbList(virPortAllocatorPtr graphicsports, libxl_domain_build_info *b_info = &d_config->b_info; libxl_device_vfb vfb = d_config->vfbs[0]; - if (libxl_defbool_val(vfb.vnc.enable)) - memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info)); - else if (libxl_defbool_val(vfb.sdl.enable)) - memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info)); + if (libxl_defbool_val(vfb.vnc.enable)) { + libxl_defbool_set(&b_info->u.hvm.vnc.enable, true); + if (VIR_STRDUP(b_info->u.hvm.vnc.listen, vfb.vnc.listen) < 0) + goto error; + if (VIR_STRDUP(b_info->u.hvm.vnc.passwd, vfb.vnc.passwd) < 0) + goto error; + b_info->u.hvm.vnc.display = vfb.vnc.display; + libxl_defbool_set(&b_info->u.hvm.vnc.findunused, + libxl_defbool_val(vfb.vnc.findunused)); + } else if (libxl_defbool_val(vfb.sdl.enable)) { + libxl_defbool_set(&b_info->u.hvm.sdl.enable, true); + libxl_defbool_set(&b_info->u.hvm.sdl.opengl, + libxl_defbool_val(vfb.sdl.opengl)); + if (VIR_STRDUP(b_info->u.hvm.sdl.display, vfb.sdl.display) < 0) + goto error; + if (VIR_STRDUP(b_info->u.hvm.sdl.xauthority, vfb.sdl.xauthority) < 0) + goto error; + } } return 0; -- 1.8.4.5