[libvirt] [PATCH] libxl: Resolve possible resource leak in dom0 maximum memory setting
If either the "if (STRPREFIX(mem_tokens[j], "max:"))" is never entered or the "if (virStrToLong_ull(mem_tokens[j] + 4, &p, 10, maxmem) < 0)" break is hit, control goes back to the outer loop processing 'cmd_tokens' and it's possible that the 'mem_tokens' would be overwritten. Found by Coverity Signed-off-by: John Ferlan <jferlan@redhat.com> --- Of course this is what led me down the path of the recently sent virusbmock patch... src/libxl/libxl_conf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 6ce2e0a..f5b788b 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -1622,6 +1622,7 @@ libxlDriverGetDom0MaxmemConf(libxlDriverConfigPtr cfg, goto cleanup; } } + virStringListFree(mem_tokens); } physmem: -- 2.7.4
On 02/10/2017 02:06 PM, John Ferlan wrote:
If either the "if (STRPREFIX(mem_tokens[j], "max:"))" is never entered or the "if (virStrToLong_ull(mem_tokens[j] + 4, &p, 10, maxmem) < 0)" break is hit, control goes back to the outer loop processing 'cmd_tokens' and it's possible that the 'mem_tokens' would be overwritten.
Found by Coverity
Signed-off-by: John Ferlan <jferlan@redhat.com> ---
Of course this is what led me down the path of the recently sent virusbmock patch...
src/libxl/libxl_conf.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 6ce2e0a..f5b788b 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -1622,6 +1622,7 @@ libxlDriverGetDom0MaxmemConf(libxlDriverConfigPtr cfg, goto cleanup; } } + virStringListFree(mem_tokens); }
physmem:
This will work. The other possible location is just before: if (!(mem_tokens = virStringSplit(cmd_tokens[i], ",", 0))) line. ACK Michal
participants (2)
-
John Ferlan -
Michal Privoznik