12:58 p.m.
Detected by clang. NULL deref added in commit 343a27a (Mar 11),
but leak of voldef present since commit 2cd9b2d (Apr 09).
* src/storage/storage_driver.c (storageVolumeCreateXML): Don't
leak voldef or dereference null volobj.
---
src/storage/storage_driver.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 1ea5d12..19c7d63 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1319,8 +1319,10 @@ storageVolumeCreateXML(virStoragePoolPtr obj,
pool->volumes.objs[pool->volumes.count++] = voldef;
volobj = virGetStorageVol(obj->conn, pool->def->name, voldef->name,
voldef->key);
+ if (!volobj)
+ goto cleanup;
- if (volobj && backend->buildVol) {
+ if (backend->buildVol) {
int buildret;
virStorageVolDefPtr buildvoldef = NULL;
--
1.7.4.4
12:18 a.m.
On 05/03/2011 01:58 PM, Eric Blake wrote:
Detected by clang. NULL deref added in commit 343a27a (Mar 11),
but leak of voldef present since commit 2cd9b2d (Apr 09).
* src/storage/storage_driver.c (storageVolumeCreateXML): Don't
leak voldef or dereference null volobj.
---
src/storage/storage_driver.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 1ea5d12..19c7d63 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1319,8 +1319,10 @@ storageVolumeCreateXML(virStoragePoolPtr obj,
pool->volumes.objs[pool->volumes.count++] = voldef;
volobj = virGetStorageVol(obj->conn, pool->def->name, voldef->name,
voldef->key);
+ if (!volobj)
+ goto cleanup;
At this point, voldef has been added into pool->volumes.objs[], but
voldef hasn't been NULLed out yet, so there is an extra pointer to it.
If you goto cleanup, you will end up calling
virStorageVolDefFree(voldef), so that object will get freed, but
pool->volumes.objs still has a pointer to it.
You either need to NULL out voldef, or remove it from
pool->volumes.objs[] (ie, just decrement the count). I'm too tired to
figure out which is more appropriate :-)
- if (volobj&& backend->buildVol) {
+ if (backend->buildVol) {
int buildret;
virStorageVolDefPtr buildvoldef = NULL;
11:25 a.m.
On 05/03/2011 11:18 PM, Laine Stump wrote:
On 05/03/2011 01:58 PM, Eric Blake wrote:
> Detected by clang. NULL deref added in commit 343a27a (Mar 11),
> but leak of voldef present since commit 2cd9b2d (Apr 09).
>
> * src/storage/storage_driver.c (storageVolumeCreateXML): Don't
> leak voldef or dereference null volobj.
> ---
> src/storage/storage_driver.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
> index 1ea5d12..19c7d63 100644
> --- a/src/storage/storage_driver.c
> +++ b/src/storage/storage_driver.c
> @@ -1319,8 +1319,10 @@ storageVolumeCreateXML(virStoragePoolPtr obj,
> pool->volumes.objs[pool->volumes.count++] = voldef;
> volobj = virGetStorageVol(obj->conn, pool->def->name,
voldef->name,
> voldef->key);
> + if (!volobj)
> + goto cleanup;
At this point, voldef has been added into pool->volumes.objs[], but
voldef hasn't been NULLed out yet, so there is an extra pointer to it.
If you goto cleanup, you will end up calling
virStorageVolDefFree(voldef), so that object will get freed, but
pool->volumes.objs still has a pointer to it.
You either need to NULL out voldef, or remove it from
pool->volumes.objs[] (ie, just decrement the count). I'm too tired to
figure out which is more appropriate :-)
Good catch. I think decrementing the count is correct. v2 coming up.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
11:52 a.m.
New subject: [libvirt] [PATCHv2] storage: avoid null deref and leak on failure
Detected by clang. NULL deref added in commit 343a27a (Mar 11),
but leak of voldef present since commit 2cd9b2d (Apr 09).
* src/storage/storage_driver.c (storageVolumeCreateXML): Don't
leak voldef or dereference null volobj.
---
v2: don't leave pool->volumes.objs pointing to stale memory on failure
src/storage/storage_driver.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 1ea5d12..5118ffb 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1,7 +1,7 @@
/*
* storage_driver.c: core driver for storage APIs
*
- * Copyright (C) 2006-2010 Red Hat, Inc.
+ * Copyright (C) 2006-2011 Red Hat, Inc.
* Copyright (C) 2006-2008 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
@@ -1319,8 +1319,12 @@ storageVolumeCreateXML(virStoragePoolPtr obj,
pool->volumes.objs[pool->volumes.count++] = voldef;
volobj = virGetStorageVol(obj->conn, pool->def->name, voldef->name,
voldef->key);
+ if (!volobj) {
+ pool->volumes.count--;
+ goto cleanup;
+ }
- if (volobj && backend->buildVol) {
+ if (backend->buildVol) {
int buildret;
virStorageVolDefPtr buildvoldef = NULL;
--
1.7.4.4
12:56 p.m.
New subject: [libvirt] [PATCHv2] storage: avoid null deref and leak on failure
On 05/04/2011 12:52 PM, Eric Blake wrote:
Detected by clang. NULL deref added in commit 343a27a (Mar 11),
but leak of voldef present since commit 2cd9b2d (Apr 09).
* src/storage/storage_driver.c (storageVolumeCreateXML): Don't
leak voldef or dereference null volobj.
---
v2: don't leave pool->volumes.objs pointing to stale memory on failure
src/storage/storage_driver.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 1ea5d12..5118ffb 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1,7 +1,7 @@
/*
* storage_driver.c: core driver for storage APIs
*
- * Copyright (C) 2006-2010 Red Hat, Inc.
+ * Copyright (C) 2006-2011 Red Hat, Inc.
* Copyright (C) 2006-2008 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
@@ -1319,8 +1319,12 @@ storageVolumeCreateXML(virStoragePoolPtr obj,
pool->volumes.objs[pool->volumes.count++] = voldef;
volobj = virGetStorageVol(obj->conn, pool->def->name, voldef->name,
voldef->key);
+ if (!volobj) {
+ pool->volumes.count--;
+ goto cleanup;
+ }
- if (volobj&& backend->buildVol) {
+ if (backend->buildVol) {
int buildret;
virStorageVolDefPtr buildvoldef = NULL;
ACK.
4:06 p.m.
New subject: [libvirt] [PATCHv2] storage: avoid null deref and leak on failure
On 05/04/2011 11:56 AM, Laine Stump wrote:
On 05/04/2011 12:52 PM, Eric Blake wrote:
> Detected by clang. NULL deref added in commit 343a27a (Mar 11),
> but leak of voldef present since commit 2cd9b2d (Apr 09).
>
> * src/storage/storage_driver.c (storageVolumeCreateXML): Don't
> leak voldef or dereference null volobj.
> ---
>
> v2: don't leave pool->volumes.objs pointing to stale memory on failure
>
ACK.
Thanks; pushed.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
4952
days inactive
4953
days old
5 comments
2 participants
participants (2)
-
Eric Blake -
Laine Stump