[libvirt] [PATCH] Fix possible NULL dereference in driver
If brSetForwardDelay() fails, we go to err1 where we want to access macTapIfName variable which was just VIR_FREE'd a few lines above. --- src/network/bridge_driver.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index ea2bfd4..97d8ce0 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1616,7 +1616,7 @@ networkStartNetworkDaemon(struct network_driver *driver, bool v4present = false, v6present = false; virErrorPtr save_err = NULL; virNetworkIpDefPtr ipdef; - char *macTapIfName; + char *macTapIfName = NULL; if (virNetworkObjIsActive(network)) { networkReportError(VIR_ERR_OPERATION_INVALID, @@ -1657,7 +1657,6 @@ networkStartNetworkDaemon(struct network_driver *driver, VIR_FREE(macTapIfName); goto err0; } - VIR_FREE(macTapIfName); } /* Set bridge options */ @@ -1731,6 +1730,7 @@ networkStartNetworkDaemon(struct network_driver *driver, goto err5; } + VIR_FREE(macTapIfName); VIR_INFO(_("Starting up network '%s'"), network->def->name); network->active = 1; @@ -1778,6 +1778,7 @@ networkStartNetworkDaemon(struct network_driver *driver, macTapIfName, network->def->bridge, virStrerror(err, ebuf, sizeof ebuf)); } + VIR_FREE(macTapIfName); err0: if (!save_err) -- 1.7.4.2
On 04/14/2011 08:03 AM, Michal Privoznik wrote:
If brSetForwardDelay() fails, we go to err1 where we want to access macTapIfName variable which was just VIR_FREE'd a few lines above.
*raises hand* Thanks for fixing this.
--- src/network/bridge_driver.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index ea2bfd4..97d8ce0 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1616,7 +1616,7 @@ networkStartNetworkDaemon(struct network_driver *driver, bool v4present = false, v6present = false; virErrorPtr save_err = NULL; virNetworkIpDefPtr ipdef; - char *macTapIfName; + char *macTapIfName = NULL;
if (virNetworkObjIsActive(network)) { networkReportError(VIR_ERR_OPERATION_INVALID, @@ -1657,7 +1657,6 @@ networkStartNetworkDaemon(struct network_driver *driver, VIR_FREE(macTapIfName); goto err0; } - VIR_FREE(macTapIfName);
ACK. (In the spirit of putting all the frees down at the bottom (so that any later additions to the code don't need to remember to add VIR_FREE(macTapIfName) before they jump to err0), I might have added an "err0_5" label just above the VIR_FREE during error recovery, and jumped to there instead of err0. But this way also works, and it's only a single line, not a bunch of them, so I also might not have :-).)
}
/* Set bridge options */ @@ -1731,6 +1730,7 @@ networkStartNetworkDaemon(struct network_driver *driver, goto err5; }
+ VIR_FREE(macTapIfName); VIR_INFO(_("Starting up network '%s'"), network->def->name); network->active = 1;
@@ -1778,6 +1778,7 @@ networkStartNetworkDaemon(struct network_driver *driver, macTapIfName, network->def->bridge, virStrerror(err, ebuf, sizeof ebuf)); } + VIR_FREE(macTapIfName);
err0: if (!save_err)
participants (2)
-
Laine Stump -
Michal Privoznik