[libvirt] [PATCH] bridge: leases: Fix potential crash caused by use after free
Peter Krempa
pkrempa at redhat.com
Tue Jun 24 12:06:26 UTC 2014
On 06/24/14 13:54, Peter Krempa wrote:
> Don't free individual JSON array members as the array will be freed at
> the end. This may potentially lead to a crash although it didn't crash
> on my setup.
> ---
> src/network/bridge_driver.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
It crashed now in valgrind:
==2487543== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==2487543== Access not within mapped region at address 0x0
==2487543== at 0x52ADAF7: virFree (viralloc.c:582)
==2487543== by 0x52E76D3: virJSONValueFree (virjson.c:76)
==2487543== by 0x52E773F: virJSONValueFree (virjson.c:83)
==2487543== by 0x1317A8F8: networkGetDHCPLeasesHelper (bridge_driver.c:3533)
==2487543== by 0x1317ABFE: networkGetDHCPLeasesForMAC (bridge_driver.c:3586)
==2487543== by 0x541D2E1: virNetworkGetDHCPLeasesForMAC (libvirt.c:21154)
==2487543== by 0x159082: remoteDispatchNetworkGetDHCPLeasesForMAC (remote.c:6347)
==2487543== by 0x13D0B7: remoteDispatchNetworkGetDHCPLeasesForMACHelper (remote_dispatch.h:10355)
==2487543== by 0x547B0D1: virNetServerProgramDispatchCall (virnetserverprogram.c:437)
==2487543== by 0x547AC2E: virNetServerProgramDispatch (virnetserverprogram.c:307)
==2487543== by 0x170443: virNetServerProcessMsg (virnetserver.c:172)
==2487543== by 0x170529: virNetServerHandleJob (virnetserver.c:193)
I was apparently lucky before and the pointers mapped to memory that was still mapped.
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140624/b2b519d6/attachment-0001.sig>
More information about the libvir-list
mailing list