[libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port

[Michal Privoznik]

On 26.01.2016 19:25, Jason J. Herne wrote:
> libvirtd crashes on free()ing portData for an open vswitch port if that port
> was deleted.  To reproduce:
> 
> ovs-vsctl del-port vnet0
> virsh migrate --live kvm1 qemu+ssh://dstHost/system
> 
> Error message:
> libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 ***
> 
> The problem is that virCommandRun can return an empty string in the event that
> the port being queried does not exist. When this happens then we are
> unconditionally overwriting a newline character at position strlen()-1. When
> strlen is 0, we overwrite memory that does not belong to the string.
> 
> The fix: Only overwrite the newline if the string is not empty.
> 
> Reviewed-by: Bjoern Walk <bwalk at linux.vnet.ibm.com>
> Signed-off-by: Jason J. Herne <jjherne at linux.vnet.ibm.com>
> ---
>  src/util/virnetdevopenvswitch.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
> index 6780fb5..0f640d0 100644
> --- a/src/util/virnetdevopenvswitch.c
> +++ b/src/util/virnetdevopenvswitch.c
> @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname)
>          goto cleanup;
>      }
>  
> -    /* Wipeout the newline */
> -    (*migrate)[strlen(*migrate) - 1] = '\0';
> +    /* Wipeout the newline, if it exists */
> +    if (strlen(*migrate) > 0) {
> +        (*migrate)[strlen(*migrate) - 1] = '\0';
> +    }

I'd rather see us computing the length of string once but I guess
compiler is wise enough to optimize the code for us.

Michal