From 1d45e1b6225c2068359e90b48559b54d0e019aee Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Thu, 3 Jun 2010 23:25:58 -0400 Subject: [PATCH] Fix dereference of potentially freed pointer in qemudDomainSaveFlags The pointer to the xml describing the domain is saved into an object prior to calling VIR_REALLOC_N() to make the size of the memory it points to a multiple of QEMU_MONITOR_MIGRATE_TO_FILE_BS. If that operation needs to allocate new memory, the pointer that was saved is no longer valid. To avoid this situation, adjust the size *before* saving the pointer. (This showed up when experimenting with very large values of QEMU_MONITOR_MIGRATE_TO_FILE_BS). --- src/qemu/qemu_driver.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6f77ea0bd3..2dc32fa01b 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -4959,12 +4959,6 @@ static int qemudDomainSaveFlag(virDomainPtr dom, const char *path, is_reg = S_ISREG(sb.st_mode); } - - /* Setup hook data needed by virFileOperation hook function */ - hdata.dom = dom; - hdata.path = path; - hdata.xml = xml; - hdata.header = &header; offset = sizeof(header) + header.xml_len; /* Due to way we append QEMU state on our header with dd, @@ -4985,6 +4979,12 @@ static int qemudDomainSaveFlag(virDomainPtr dom, const char *path, header.xml_len += pad; } + /* Setup hook data needed by virFileOperation hook function */ + hdata.dom = dom; + hdata.path = path; + hdata.xml = xml; + hdata.header = &header; + /* Write header to file, followed by XML */ /* First try creating the file as root */