[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] util: Avoid libvirtd crash



In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't
assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then
goto 'error' lable, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'.

* util/virnetdevtap.c (virNetDevTapCreateInBridgePort): fix a NULL pointer derefing. 

* How to reproduce?

$ cat > /tmp/net.xml <<EOF
<network>
  <name>test</name>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='00:00:00:00:00:00'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
    </dhcp>
  </ip>
</network>
EOF

$ virsh net-define /tmp/net.xml

$ virsh net-start test
error: Failed to start network brTest
error: End of file while reading data: Input/output error


Signed-off-by: Alex Jia <ajia redhat com>
---
 src/util/virnetdevtap.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c
index 0b3ac46..5d21164 100644
--- a/src/util/virnetdevtap.c
+++ b/src/util/virnetdevtap.c
@@ -341,7 +341,8 @@ int virNetDevTapCreateInBridgePort(const char *brname,
     return 0;
 
  error:
-    VIR_FORCE_CLOSE(*tapfd);
+    if (tapfd)
+        VIR_FORCE_CLOSE(*tapfd);
 
     return errno;
 }
-- 
1.7.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]