[libvirt] [PATCH] util: Avoid libvirtd crash
In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then goto 'error' lable, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'. * util/virnetdevtap.c (virNetDevTapCreateInBridgePort): fix a NULL pointer derefing. * How to reproduce? $ cat > /tmp/net.xml <<EOF <network> <name>test</name> <forward mode='nat'/> <bridge name='br1' stp='off' delay='1' /> <mac address='00:00:00:00:00:00'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.2' end='192.168.100.254' /> </dhcp> </ip> </network> EOF $ virsh net-define /tmp/net.xml $ virsh net-start test error: Failed to start network brTest error: End of file while reading data: Input/output error Signed-off-by: Alex Jia <ajia@redhat.com> --- src/util/virnetdevtap.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c index 0b3ac46..5d21164 100644 --- a/src/util/virnetdevtap.c +++ b/src/util/virnetdevtap.c @@ -341,7 +341,8 @@ int virNetDevTapCreateInBridgePort(const char *brname, return 0; error: - VIR_FORCE_CLOSE(*tapfd); + if (tapfd) + VIR_FORCE_CLOSE(*tapfd); return errno; } -- 1.7.1
On 04/28/2012 07:01 AM, Alex Jia wrote:
In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then goto 'error' lable, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'.
--- a/src/util/virnetdevtap.c +++ b/src/util/virnetdevtap.c @@ -341,7 +341,8 @@ int virNetDevTapCreateInBridgePort(const char *brname, return 0;
error: - VIR_FORCE_CLOSE(*tapfd); + if (tapfd) + VIR_FORCE_CLOSE(*tapfd);
return errno; } ACK
The subject line is pretty generic; it's better to add something like the name of the function being fixed to minimize the chance of patch name collision causing backporters minor confusion in deciding what to backport. On 04/28/2012 05:01 AM, Alex Jia wrote:
In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then goto 'error' lable, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'.
s/lable/label/
* util/virnetdevtap.c (virNetDevTapCreateInBridgePort): fix a NULL pointer derefing.
* How to reproduce?
$ cat > /tmp/net.xml <<EOF <network> <name>test</name> <forward mode='nat'/> <bridge name='br1' stp='off' delay='1' /> <mac address='00:00:00:00:00:00'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.2' end='192.168.100.254' /> </dhcp> </ip> </network> EOF
$ virsh net-define /tmp/net.xml
$ virsh net-start test error: Failed to start network brTest error: End of file while reading data: Input/output error
Pushed with commit message updated. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (3)
-
Alex Jia -
Eric Blake -
Stefan Berger