[libvirt] [PATCH] vbox: Fix segfault on empty device source
Matthias Bolte
matthias.bolte at googlemail.com
Wed Mar 24 00:23:37 UTC 2010
2010/3/22 Eric Blake <eblake at redhat.com>:
> On 03/22/2010 02:40 PM, Matthias Bolte wrote:
>> <source file=''/> results in def->disks[i]->src == NULL. But
>> vboxDomainDefineXML didn't check def->disks[i]->src for NULL
>> and expected it to be a valid string.
>>
>> Add checks for def->disks[i]->src != NULL to fix the segfault.
>
> ACK, but did you catch all the places? For example,
>
>> @@ -3519,7 +3519,8 @@ static virDomainPtr vboxDomainDefineXML(virConnectPtr conn, const char *xml) {
>> DEBUG("disk(%d) shared: %s", i, def->disks[i]->shared ? "True" : "False");
>>
>> if (def->disks[i]->device == VIR_DOMAIN_DISK_DEVICE_CDROM) {
>> - if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_FILE) {
>> + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_FILE &&
>> + def->disks[i]->src != NULL) {
>> IDVDDrive *dvdDrive = NULL;
>> /* Currently CDROM/DVD Drive is always IDE
>> * Secondary Master so neglecting the following
>> @@ -3801,7 +3802,8 @@ static virDomainPtr vboxDomainDefineXML(virConnectPtr conn, const char *xml) {
>
> in between these two line ranges, I see a usage at line 3591 under
> def->disks[i]->device==VIR_DOMAIN_DISK_TYPE_DISK that seems like it
> could be vulnerable to the same problem.
>
Yep, I didn't catch all places. Here's a patch that should catch all
unchecked usage of the src member.
Matthias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-vbox-Fix-segfault-on-empty-device-source.diff
Type: text/x-diff
Size: 4800 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100324/8ed870da/attachment-0001.bin>
More information about the libvir-list
mailing list