[libvirt] [0/2] Fix 2 possible crashes in JSON event dispatch
A couple of places didn't do sufficient NULL checks in handling dispatch of JSON events, so can crash under certain conditions.
A typo in handling graphics events allowed for a potential NULL pointer crash if a parameter was not defined * src/qemu/qemu_monitor_json.c: s/remoteService/localService/ --- src/qemu/qemu_monitor_json.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 4a25e98..6d8f328 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -646,8 +646,8 @@ static void qemuMonitorJSONHandleGraphics(qemuMonitorPtr mon, virJSONValuePtr da return; } localService = virJSONValueObjectGetString(server, "service"); - if (!remoteService) - remoteService = ""; /* Spice has multiple ports, so this isn't provided */ + if (!localService) + localService = ""; /* Spice has multiple ports, so this isn't provided */ remoteFamily = virJSONValueObjectGetString(client, "family"); if (!authScheme) { -- 1.6.6.1
On 05/11/2010 08:36 AM, Daniel P. Berrange wrote:
A typo in handling graphics events allowed for a potential NULL pointer crash if a parameter was not defined
* src/qemu/qemu_monitor_json.c: s/remoteService/localService/ --- src/qemu/qemu_monitor_json.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 4a25e98..6d8f328 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -646,8 +646,8 @@ static void qemuMonitorJSONHandleGraphics(qemuMonitorPtr mon, virJSONValuePtr da return; } localService = virJSONValueObjectGetString(server, "service"); - if (!remoteService) - remoteService = ""; /* Spice has multiple ports, so this isn't provided */ + if (!localService) + localService = ""; /* Spice has multiple ports, so this isn't provided */
ACK. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
If the IO error event does not include a reason, then there is a possible crash dispatching the event * src/conf/domain_event.c: Missing check for a NULL reason before strduping allows for a crash --- src/conf/domain_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c index e5bd458..e88aafe 100644 --- a/src/conf/domain_event.c +++ b/src/conf/domain_event.c @@ -671,7 +671,7 @@ static virDomainEventPtr virDomainEventIOErrorNewFromObjImpl(int event, ev->data.ioError.action = action; if (!(ev->data.ioError.srcPath = strdup(srcPath)) || !(ev->data.ioError.devAlias = strdup(devAlias)) || - !(ev->data.ioError.reason = strdup(reason))) { + (reason && !(ev->data.ioError.reason = strdup(reason)))) { virDomainEventFree(ev); ev = NULL; } -- 1.6.6.1
On 05/11/2010 08:36 AM, Daniel P. Berrange wrote:
If the IO error event does not include a reason, then there is a possible crash dispatching the event
* src/conf/domain_event.c: Missing check for a NULL reason before strduping allows for a crash --- src/conf/domain_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c index e5bd458..e88aafe 100644 --- a/src/conf/domain_event.c +++ b/src/conf/domain_event.c @@ -671,7 +671,7 @@ static virDomainEventPtr virDomainEventIOErrorNewFromObjImpl(int event, ev->data.ioError.action = action; if (!(ev->data.ioError.srcPath = strdup(srcPath)) || !(ev->data.ioError.devAlias = strdup(devAlias)) || - !(ev->data.ioError.reason = strdup(reason))) { + (reason && !(ev->data.ioError.reason = strdup(reason)))) {
ACK. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (2)
-
Daniel P. Berrange -
Eric Blake