[libvirt] [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref

Jim Meyering jim at meyering.net
Tue Dec 15 17:12:29 UTC 2009 

Daniel P. Berrange wrote:
...
>> +    /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
>> +       try to memcpy anything into a NULL pointer.  */
>> +    if (cpumaps == NULL)
>> +        maplen = 0;
>> +
>>      if (cpumaps != NULL && maplen < 1) {
>>          virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
>>          goto error;
>> --
>
> I wonder if it might be better to return an error in that case. Passing
> a NULL cpumaps, and non-zero maplen seems like a real application bug
> we should complain about
>
>   if (cpumaps == NULL && maplen != 0)
>     ....error...

Ok.  Here's a revised patch.

>From d37bca86d0224052cb22d318fb7a4388909fc5e0 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Mon, 14 Dec 2009 17:17:53 +0100
Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref

* src/libvirt.c (virDomainGetVcpus): Describe new, stronger
requirement on "maplen"s relationship to "cpumaps".
---
 src/libvirt.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index 008e322..103b331 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4753,6 +4753,7 @@ error:
  *      virDomainPinVcpu() API.
  * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in
  *	underlying virtualization system (Xen...).
+ *	Must be zero when cpumaps is NULL and positive when it is non-NULL.
  *
  * Extract information about virtual CPUs of domain, store it in info array
  * and also in cpumaps if this pointer isn't NULL.
@@ -4776,7 +4777,11 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,
         virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }
-    if (cpumaps != NULL && maplen < 1) {
+
+    /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
+       try to memcpy anything into a NULL pointer.  */
+    if ((cpumaps == NULL && maplen != 0)
+        || (cpumaps && maplen <= 0)) {
         virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }
--
1.6.6.rc2.275.g51e2d

More information about the libvir-list mailing list