From 0bea528a33898c818986302574a2f41681dcbb28 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 23 Sep 2013 14:11:34 +0100
Subject: [PATCH] Fix crash on OOM in qemuAddRBDHost

When parsing the RBD hosts, it increments the 'nhosts' counter
before increasing the 'hosts' array allocation. If an OOM then
occurs when increasing the array allocation, the cleanup block
will attempt to access beyond the end of the array. Switch
to using VIR_EXPAND_N instead of VIR_REALLOC_N to protect against
this mistake

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 src/qemu/qemu_command.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index e98aed5601..1819bf6ac1 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -3232,9 +3232,8 @@ static int qemuAddRBDHost(virDomainDiskDefPtr disk, char *hostport)
     size_t skip;
     char **parts;
 
-    disk->nhosts++;
-    if (VIR_REALLOC_N(disk->hosts, disk->nhosts) < 0)
-        goto error;
+    if (VIR_EXPAND_N(disk->hosts, disk->nhosts, 1) < 0)
+        return -1;
 
     if ((port = strchr(hostport, ']'))) {
         /* ipv6, strip brackets */