[libvirt] [PATCH] util: fix libvirtd crash caused by virStorageNetHostTransportTypeFromString
Eric Blake
eblake at redhat.com
Fri Oct 24 19:12:47 UTC 2014
On 10/24/2014 01:01 PM, Shanzhi Yu wrote:
> When split uri->scheme into two strings with "+", the second one will be
s/split/splitting/
> "rdma://server/..", pass it to virStorageNetHostTransportTypeFromString
> will lead libvirtd crash. So a second virStringSplit call is needed.
Can you show the FULL string that is being passed into this function,
and not just the string after the first split on '+'? That is, showing
an easy formula of how to reproduce the bug makes it easier to know if
the solution is right.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1156288
You have to assume that not everyone will click through this link.
> Signed-off-by: Shanzhi Yu <shyu at redhat.com>
> ---
> src/util/virstoragefile.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
> index 960aa23..795c188 100644
> --- a/src/util/virstoragefile.c
> +++ b/src/util/virstoragefile.c
> @@ -2144,6 +2144,9 @@ virStorageSourceParseBackingURI(virStorageSourcePtr src,
> goto cleanup;
> }
>
> + if (!(scheme = virStringSplit(scheme[1], ":", 2)))
Ouch. Memory leak. You are overwriting the contents of malloc'd scheme
with a new pointer. You'll need to send a v2.
> + goto cleanup;
> +
> if (scheme[1] &&
> (src->hosts->transport = virStorageNetHostTransportTypeFromString(scheme[1])) < 0) {
> virReportError(VIR_ERR_INTERNAL_ERROR,
>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141024/0999bae3/attachment-0001.sig>
More information about the libvir-list
mailing list