[libvirt] Power Hypervisor: Fix potential segfault and memleak in phypOpen

Hi, I came across this line in the phypOpen function: char string[strlen(conn->uri->path)]; Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL. Beside that uuid_db and connection_data leak in case of an error. In this line conn->uri->path = string; the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path. The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real. Matthias

Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL.
Heh, it's worse than that; there is a check later on for !conn || !conn->uri, so you are potentially de-referencing a NULL pointer.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
I also don't have a Power Hypervisor, but it looks sane enough to me. I'll say ACK, but it's probably a good idea to get someone who has Power to test it before you commit. -- Chris Lalancette

On Fri, 2009-08-07 at 15:35 +0200, Chris Lalancette wrote:
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL.
Heh, it's worse than that; there is a check later on for !conn || !conn->uri, so you are potentially de-referencing a NULL pointer.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
I also don't have a Power Hypervisor, but it looks sane enough to me. I'll say ACK, but it's probably a good idea to get someone who has Power to test it before you commit.
I tested with some Power machines I have over here and it is ACK for me. []'s -- Eduardo Otubo Software Engineer Linux Technology Center IBM Systems & Technology Group Mobile: +55 19 8135 0885 otubo@linux.vnet.ibm.com

2009/8/14 Eduardo Otubo <otubo@linux.vnet.ibm.com>:
On Fri, 2009-08-07 at 15:35 +0200, Chris Lalancette wrote:
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL.
Heh, it's worse than that; there is a check later on for !conn || !conn->uri, so you are potentially de-referencing a NULL pointer.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
I also don't have a Power Hypervisor, but it looks sane enough to me. I'll say ACK, but it's probably a good idea to get someone who has Power to test it before you commit.
I tested with some Power machines I have over here and it is ACK for me.
[]'s
A change to escape_specialcharacters() affects this patch, so I attached a v2 of it. The only change to the first patch is the caching of strlen(conn->uri->path) + 1 to use it for VIR_ALLOC_N() and escape_specialcharacters(). Matthias

On Fri, Aug 07, 2009 at 02:50:19PM +0200, Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL. Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
Matthias
diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c index cbfd31b..f21ae64 100644 --- a/src/phyp/phyp_driver.c +++ b/src/phyp/phyp_driver.c @@ -61,25 +61,17 @@ static virDrvOpenStatus phypOpen(virConnectPtr conn, virConnectAuthPtr auth, int flags ATTRIBUTE_UNUSED) { - SSH_SESSION *session; - ConnectionData *connection_data; - char string[strlen(conn->uri->path)]; - + SSH_SESSION *session = NULL; + ConnectionData *connection_data = NULL; + char *string = NULL; uuid_dbPtr uuid_db = NULL;
- if (VIR_ALLOC(uuid_db) < 0) - virReportOOMError(conn); - - if (VIR_ALLOC(connection_data) < 0) - virReportOOMError(conn); - if (!conn || !conn->uri) return VIR_DRV_OPEN_DECLINED;
if (conn->uri->scheme == NULL || STRNEQ(conn->uri->scheme, "phyp")) return VIR_DRV_OPEN_DECLINED;
- if (conn->uri->server == NULL) { virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s", @@ -94,20 +86,36 @@ phypOpen(virConnectPtr conn, return VIR_DRV_OPEN_ERROR; }
+ if (VIR_ALLOC(uuid_db) < 0) { + virReportOOMError(conn); + goto failure; + } + + if (VIR_ALLOC(connection_data) < 0) { + virReportOOMError(conn); + goto failure; + } + + if (VIR_ALLOC_N(string, strlen(conn->uri->path) + 1) < 0) { + virReportOOMError(conn); + goto failure; + } + if (escape_specialcharacters(conn->uri->path, string) == -1) { virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s", _("Error parsing 'path'. Invalid characters.")); - return VIR_DRV_OPEN_ERROR; + goto failure; }
if ((session = openSSHSession(conn, auth)) == NULL) { virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s", _("Error while opening SSH session.")); - return VIR_DRV_OPEN_ERROR; + goto failure; }
+ VIR_FREE(conn->uri->path); conn->uri->path = string; connection_data->session = session; connection_data->auth = auth; @@ -120,6 +128,13 @@ phypOpen(virConnectPtr conn, init_uuid_db(conn);
return VIR_DRV_OPEN_SUCCESS; + + failure: + VIR_FREE(uuid_db); + VIR_FREE(connection_data); + VIR_FREE(string); + + return VIR_DRV_OPEN_ERROR; }
static int
ACK Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL. Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
I've now committed this patch (with some slight munging to get it to apply to recent libvirt.git). Thanks, -- Chris Lalancette

2009/8/20 Chris Lalancette <clalance@redhat.com>:
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL. Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real.
I've now committed this patch (with some slight munging to get it to apply to recent libvirt.git).
Thanks, -- Chris Lalancette
Well, you should have applied version 2 of this patch, because version 1 was invalidated by changes to escape_specialcharacters(). It now takes a length argument, but string isn't an array anymore (but a char pointer), so sizeof(string) does no longer the right thing: escape_specialcharacters(conn->uri->path, string, sizeof(string)) I attached patch version 2 again. Matthias

Matthias Bolte wrote:
2009/8/20 Chris Lalancette <clalance@redhat.com>:
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for NULL, this can cause a segfault as strlen expects a string != NULL. Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call before setting the new path.
The attached patch is compile-tested but I don't have a Power Hypervisor installation at hand to test it for real. I've now committed this patch (with some slight munging to get it to apply to recent libvirt.git).
Thanks, -- Chris Lalancette
Well, you should have applied version 2 of this patch, because version 1 was invalidated by changes to escape_specialcharacters(). It now takes a length argument, but string isn't an array anymore (but a char pointer), so sizeof(string) does no longer the right thing:
escape_specialcharacters(conn->uri->path, string, sizeof(string))
I attached patch version 2 again.
Gah, sorry, I totally missed (or forgot about) that. I'll apply the incremental diff, thanks. -- Chris Lalancette
participants (4)
-
Chris Lalancette
-
Daniel P. Berrange
-
Eduardo Otubo
-
Matthias Bolte