7:50 a.m.
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for
NULL, this can cause a segfault as strlen expects a string != NULL.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call
before setting the new path.
The attached patch is compile-tested but I don't have a Power
Hypervisor installation at hand to test it for real.
Matthias
8:35 a.m.
New subject: [libvirt] Power Hypervisor: Fix potential segfault and memleak in phypOpen
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for
NULL, this can cause a segfault as strlen expects a string != NULL.
Heh, it's worse than that; there is a check later on for !conn || !conn->uri, so
you are potentially de-referencing a NULL pointer.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call
before setting the new path.
The attached patch is compile-tested but I don't have a Power
Hypervisor installation at hand to test it for real.
I also don't have a Power Hypervisor, but it looks sane enough to me. I'll say
ACK, but it's probably a good idea to get someone who has Power to test it
before you commit.
--
Chris Lalancette
12:07 p.m.
On Fri, 2009-08-07 at 15:35 +0200, Chris Lalancette wrote:
Matthias Bolte wrote:
> Hi,
>
> I came across this line in the phypOpen function:
>
> char string[strlen(conn->uri->path)];
>
> Here the path part of the given URI is used without checking it for
> NULL, this can cause a segfault as strlen expects a string != NULL.
Heh, it's worse than that; there is a check later on for !conn || !conn->uri, so
you are potentially de-referencing a NULL pointer.
> Beside that uuid_db and connection_data leak in case of an error.
>
> In this line
>
> conn->uri->path = string;
>
> the original path of the URI leaks. The patch adds a VIR_FREE call
> before setting the new path.
>
> The attached patch is compile-tested but I don't have a Power
> Hypervisor installation at hand to test it for real.
I also don't have a Power Hypervisor, but it looks sane enough to me. I'll say
ACK, but it's probably a good idea to get someone who has Power to test it
before you commit.
I tested with some Power machines I have over here and it is ACK for me.
[]'s
--
Eduardo Otubo
Software Engineer
Linux Technology Center
IBM Systems & Technology Group
Mobile: +55 19 8135 0885
otubo(a)linux.vnet.ibm.com
4:53 a.m.
2009/8/14 Eduardo Otubo <otubo(a)linux.vnet.ibm.com>:
On Fri, 2009-08-07 at 15:35 +0200, Chris Lalancette wrote:
> Matthias Bolte wrote:
> > Hi,
> >
> > I came across this line in the phypOpen function:
> >
> > char string[strlen(conn->uri->path)];
> >
> > Here the path part of the given URI is used without checking it for
> > NULL, this can cause a segfault as strlen expects a string != NULL.
>
> Heh, it's worse than that; there is a check later on for !conn || !conn->uri,
so
> you are potentially de-referencing a NULL pointer.
>
> > Beside that uuid_db and connection_data leak in case of an error.
> >
> > In this line
> >
> > conn->uri->path = string;
> >
> > the original path of the URI leaks. The patch adds a VIR_FREE call
> > before setting the new path.
> >
> > The attached patch is compile-tested but I don't have a Power
> > Hypervisor installation at hand to test it for real.
>
> I also don't have a Power Hypervisor, but it looks sane enough to me. I'll
say
> ACK, but it's probably a good idea to get someone who has Power to test it
> before you commit.
>
I tested with some Power machines I have over here and it is ACK for me.
[]'s
A change to escape_specialcharacters() affects this patch, so I
attached a v2 of it. The only change to the first patch is the caching
of strlen(conn->uri->path) + 1 to use it for VIR_ALLOC_N() and
escape_specialcharacters().
Matthias
5:12 a.m.
On Fri, Aug 07, 2009 at 02:50:19PM +0200, Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for
NULL, this can cause a segfault as strlen expects a string != NULL.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call
before setting the new path.
The attached patch is compile-tested but I don't have a Power
Hypervisor installation at hand to test it for real.
Matthias
diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c
index cbfd31b..f21ae64 100644
--- a/src/phyp/phyp_driver.c
+++ b/src/phyp/phyp_driver.c
@@ -61,25 +61,17 @@ static virDrvOpenStatus
phypOpen(virConnectPtr conn,
virConnectAuthPtr auth, int flags ATTRIBUTE_UNUSED)
{
- SSH_SESSION *session;
- ConnectionData *connection_data;
- char string[strlen(conn->uri->path)];
-
+ SSH_SESSION *session = NULL;
+ ConnectionData *connection_data = NULL;
+ char *string = NULL;
uuid_dbPtr uuid_db = NULL;
- if (VIR_ALLOC(uuid_db) < 0)
- virReportOOMError(conn);
-
- if (VIR_ALLOC(connection_data) < 0)
- virReportOOMError(conn);
-
if (!conn || !conn->uri)
return VIR_DRV_OPEN_DECLINED;
if (conn->uri->scheme == NULL || STRNEQ(conn->uri->scheme,
"phyp"))
return VIR_DRV_OPEN_DECLINED;
-
if (conn->uri->server == NULL) {
virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP,
VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s",
@@ -94,20 +86,36 @@ phypOpen(virConnectPtr conn,
return VIR_DRV_OPEN_ERROR;
}
+ if (VIR_ALLOC(uuid_db) < 0) {
+ virReportOOMError(conn);
+ goto failure;
+ }
+
+ if (VIR_ALLOC(connection_data) < 0) {
+ virReportOOMError(conn);
+ goto failure;
+ }
+
+ if (VIR_ALLOC_N(string, strlen(conn->uri->path) + 1) < 0) {
+ virReportOOMError(conn);
+ goto failure;
+ }
+
if (escape_specialcharacters(conn->uri->path, string) == -1) {
virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP,
VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s",
_("Error parsing 'path'. Invalid
characters."));
- return VIR_DRV_OPEN_ERROR;
+ goto failure;
}
if ((session = openSSHSession(conn, auth)) == NULL) {
virRaiseError(conn, NULL, NULL, 0, VIR_FROM_PHYP,
VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s",
_("Error while opening SSH session."));
- return VIR_DRV_OPEN_ERROR;
+ goto failure;
}
+ VIR_FREE(conn->uri->path);
conn->uri->path = string;
connection_data->session = session;
connection_data->auth = auth;
@@ -120,6 +128,13 @@ phypOpen(virConnectPtr conn,
init_uuid_db(conn);
return VIR_DRV_OPEN_SUCCESS;
+
+ failure:
+ VIR_FREE(uuid_db);
+ VIR_FREE(connection_data);
+ VIR_FREE(string);
+
+ return VIR_DRV_OPEN_ERROR;
}
static int
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5:53 a.m.
New subject: [libvirt] Power Hypervisor: Fix potential segfault and memleak in phypOpen
Matthias Bolte wrote:
Hi,
I came across this line in the phypOpen function:
char string[strlen(conn->uri->path)];
Here the path part of the given URI is used without checking it for
NULL, this can cause a segfault as strlen expects a string != NULL.
Beside that uuid_db and connection_data leak in case of an error.
In this line
conn->uri->path = string;
the original path of the URI leaks. The patch adds a VIR_FREE call
before setting the new path.
The attached patch is compile-tested but I don't have a Power
Hypervisor installation at hand to test it for real.
I've now committed this patch (with some slight munging to get it to apply to
recent libvirt.git).
Thanks,
--
Chris Lalancette
6:07 a.m.
2009/8/20 Chris Lalancette <clalance(a)redhat.com>:
Matthias Bolte wrote:
> Hi,
>
> I came across this line in the phypOpen function:
>
> char string[strlen(conn->uri->path)];
>
> Here the path part of the given URI is used without checking it for
> NULL, this can cause a segfault as strlen expects a string != NULL.
> Beside that uuid_db and connection_data leak in case of an error.
>
> In this line
>
> conn->uri->path = string;
>
> the original path of the URI leaks. The patch adds a VIR_FREE call
> before setting the new path.
>
> The attached patch is compile-tested but I don't have a Power
> Hypervisor installation at hand to test it for real.
I've now committed this patch (with some slight munging to get it to apply to
recent libvirt.git).
Thanks,
--
Chris Lalancette
Well, you should have applied version 2 of this patch, because version
1 was invalidated by changes to escape_specialcharacters(). It now
takes a length argument, but string isn't an array anymore (but a char
pointer), so sizeof(string) does no longer the right thing:
escape_specialcharacters(conn->uri->path, string, sizeof(string))
I attached patch version 2 again.
Matthias
6:53 a.m.
New subject: [libvirt] Power Hypervisor: Fix potential segfault and memleak in phypOpen
Matthias Bolte wrote:
2009/8/20 Chris Lalancette <clalance(a)redhat.com>:
> Matthias Bolte wrote:
>> Hi,
>>
>> I came across this line in the phypOpen function:
>>
>> char string[strlen(conn->uri->path)];
>>
>> Here the path part of the given URI is used without checking it for
>> NULL, this can cause a segfault as strlen expects a string != NULL.
>> Beside that uuid_db and connection_data leak in case of an error.
>>
>> In this line
>>
>> conn->uri->path = string;
>>
>> the original path of the URI leaks. The patch adds a VIR_FREE call
>> before setting the new path.
>>
>> The attached patch is compile-tested but I don't have a Power
>> Hypervisor installation at hand to test it for real.
> I've now committed this patch (with some slight munging to get it to apply to
> recent libvirt.git).
>
> Thanks,
> --
> Chris Lalancette
>
Well, you should have applied version 2 of this patch, because version
1 was invalidated by changes to escape_specialcharacters(). It now
takes a length argument, but string isn't an array anymore (but a char
pointer), so sizeof(string) does no longer the right thing:
escape_specialcharacters(conn->uri->path, string, sizeof(string))
I attached patch version 2 again.
Gah, sorry, I totally missed (or forgot about) that. I'll apply the incremental
diff, thanks.
--
Chris Lalancette
5573
days inactive
5586
days old
7 comments
4 participants
participants (4)
-
Chris Lalancette -
Daniel P. Berrange -
Eduardo Otubo -
Matthias Bolte