[libvirt] [PATCH] Fix possible NULL dereference in driver

Thu Apr 14 14:31:43 UTC 2011

On 04/14/2011 08:03 AM, Michal Privoznik wrote:
> If brSetForwardDelay() fails, we go to err1 where we want to access
> macTapIfName variable which was just VIR_FREE'd a few lines above.

*raises hand*

Thanks for fixing this.

> ---
>   src/network/bridge_driver.c |    5 +++--
>   1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index ea2bfd4..97d8ce0 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -1616,7 +1616,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
>       bool v4present = false, v6present = false;
>       virErrorPtr save_err = NULL;
>       virNetworkIpDefPtr ipdef;
> -    char *macTapIfName;
> +    char *macTapIfName = NULL;
>
>       if (virNetworkObjIsActive(network)) {
>           networkReportError(VIR_ERR_OPERATION_INVALID,
> @@ -1657,7 +1657,6 @@ networkStartNetworkDaemon(struct network_driver *driver,
>               VIR_FREE(macTapIfName);
>               goto err0;
>           }
> -        VIR_FREE(macTapIfName);

ACK.

(In the spirit of putting all the frees down at the bottom (so that any 
later additions to the code don't need to remember to add 
VIR_FREE(macTapIfName) before they jump to err0), I might have added an 
"err0_5" label just above the VIR_FREE during error recovery, and jumped 
to there instead of err0. But this way also works, and it's only a 
single line, not a bunch of them, so I also might not have :-).)

>       }
>
>       /* Set bridge options */
> @@ -1731,6 +1730,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
>           goto err5;
>       }
>
> +    VIR_FREE(macTapIfName);
>       VIR_INFO(_("Starting up network '%s'"), network->def->name);
>       network->active = 1;
>
> @@ -1778,6 +1778,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
>                    macTapIfName, network->def->bridge,
>                    virStrerror(err, ebuf, sizeof ebuf));
>       }
> +    VIR_FREE(macTapIfName);
>
>    err0:
>       if (!save_err)