[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix possible NULL dereference in driver



On 04/14/2011 08:03 AM, Michal Privoznik wrote:
If brSetForwardDelay() fails, we go to err1 where we want to access
macTapIfName variable which was just VIR_FREE'd a few lines above.

*raises hand*

Thanks for fixing this.

---
  src/network/bridge_driver.c |    5 +++--
  1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index ea2bfd4..97d8ce0 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1616,7 +1616,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
      bool v4present = false, v6present = false;
      virErrorPtr save_err = NULL;
      virNetworkIpDefPtr ipdef;
-    char *macTapIfName;
+    char *macTapIfName = NULL;

      if (virNetworkObjIsActive(network)) {
          networkReportError(VIR_ERR_OPERATION_INVALID,
@@ -1657,7 +1657,6 @@ networkStartNetworkDaemon(struct network_driver *driver,
              VIR_FREE(macTapIfName);
              goto err0;
          }
-        VIR_FREE(macTapIfName);


ACK.

(In the spirit of putting all the frees down at the bottom (so that any later additions to the code don't need to remember to add VIR_FREE(macTapIfName) before they jump to err0), I might have added an "err0_5" label just above the VIR_FREE during error recovery, and jumped to there instead of err0. But this way also works, and it's only a single line, not a bunch of them, so I also might not have :-).)


      }

      /* Set bridge options */
@@ -1731,6 +1730,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
          goto err5;
      }

+    VIR_FREE(macTapIfName);
      VIR_INFO(_("Starting up network '%s'"), network->def->name);
      network->active = 1;

@@ -1778,6 +1778,7 @@ networkStartNetworkDaemon(struct network_driver *driver,
                   macTapIfName, network->def->bridge,
                   virStrerror(err, ebuf, sizeof ebuf));
      }
+    VIR_FREE(macTapIfName);

   err0:
      if (!save_err)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]