[libvirt] [PATCH] conf: avoid libvirt crash with empty address guestfwd channel

Alex Jia ajia at redhat.com
Thu Sep 13 16:32:48 UTC 2012


----- Original Message -----
From: "Alex Jia" <ajia at redhat.com>
To: libvir-list at redhat.com
Cc: "Alex Jia" <ajia at redhat.com>
Sent: Friday, September 14, 2012 12:23:56 AM
Subject: [libvirt][PATCH] conf: avoid libvirt crash with empty address guestfwd channel

The 'def->target.addr' hasn't been initialized in virDomainChrDefNew() and
its value is always '0xffffffff', in addition, the following test scenario
hasn't also include 'port' element in channel XML block, so the branch

    s/port/address/.


'if (addrStr == NULL)' is hit in virDomainChrDefParseTargetXML(), the 
programming jumps to 'error' label to release relevant resources, and the 
statement 'if (VIR_ALLOC(def->target.addr) < 0)' hasn't been executed then
the virDomainChrDefFree() will free 'def->target.addr'(0xffffffff) via 
VIR_FREE(), which results in libvirt crash, to use valgrind can also
find a 'Invalid free() / delete / delete[]' error. This patch just adjusts
codes order to initialize 'def->target.addr' firstly.

With this patch, libvirt hasn't crash and can get a expected error message "
XML error: guestfwd channel does not define a target address".


How to reproduce?

1. define a guest with the following channel XML configuration

$ cat foo.xml
<snip>
    <channel type='pty'>
      <target type='guestfwd'/>
    </channel>
</snip>

$ virsh define foo.xml

2. actual result

error: Failed to define domain from /tmp/foo.xml
error: End of file while reading data: Input/output error
error: Failed to reconnect to the hypervisor

GDB debugger information:
<snip>
Breakpoint 1, virDomainChrDefFree (def=0x7f8ab000ec70) at conf/domain_conf.c:1264
...ignore
1264    {
(gdb) p def->target
$2 = {port = -1, addr = 0xffffffff, name = 0xffffffff <Address 0xffffffff out of bounds>}
</snip>

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=856489

Signed-off-by: Alex Jia <ajia at redhat.com>
---
 src/conf/domain_conf.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2f8e5d2..02048c7 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -5231,6 +5231,11 @@ virDomainChrDefParseTargetXML(virCapsPtr caps,
             addrStr = virXMLPropString(cur, "address");
             portStr = virXMLPropString(cur, "port");
 
+            if (VIR_ALLOC(def->target.addr) < 0) {
+                virReportOOMError();
+                goto error;
+            }
+
             if (addrStr == NULL) {
                 virReportError(VIR_ERR_XML_ERROR, "%s",
                                _("guestfwd channel does not "
@@ -5238,11 +5243,6 @@ virDomainChrDefParseTargetXML(virCapsPtr caps,
                 goto error;
             }
 
-            if (VIR_ALLOC(def->target.addr) < 0) {
-                virReportOOMError();
-                goto error;
-            }
-
             if (virSocketAddrParse(def->target.addr, addrStr, AF_UNSPEC) < 0)
                 goto error;
 
-- 
1.7.1




More information about the libvir-list mailing list