mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 04:25:18 +00:00
daemon: avoid memleak when ListAll returns nothing
Commit 4f25146 (v1.2.8) managed to silence Coverity, but at the cost of a memory leak detected by valgrind: ==24129== 40 bytes in 5 blocks are definitely lost in loss record 355 of 637 ==24129== at 0x4A08B1C: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==24129== by 0x5084B8E: virReallocN (viralloc.c:245) ==24129== by 0x514D5AA: virDomainObjListExport (domain_conf.c:22200) ==24129== by 0x201227DB: qemuConnectListAllDomains (qemu_driver.c:18042) ==24129== by 0x51CC1B6: virConnectListAllDomains (libvirt-domain.c:6797) ==24129== by 0x14173D: remoteDispatchConnectListAllDomains (remote.c:1580) ==24129== by 0x121BE1: remoteDispatchConnectListAllDomainsHelper (remote_dispatch.h:1072) In short, every time a client calls a ListAll variant and asks for the resulting list, but there are 0 elements to return, we end up leaking the 1-entry array that holds the NULL terminator. What's worse, a read-only client can access these functions in a tight loop to cause libvirtd to eventually run out of memory; and this can be considered a denial of service attack against more privileged clients. Thankfully, the leak is so small (8 bytes per call) that you would already have some other denial of service with any guest calling the API that frequently, so an out-of-memory crash is unlikely enough that this did not warrant a CVE. * daemon/remote.c (remoteDispatchConnectListAllDomains) (remoteDispatchDomainListAllSnapshots) (remoteDispatchDomainSnapshotListAllChildren) (remoteDispatchConnectListAllStoragePools) (remoteDispatchStoragePoolListAllVolumes) (remoteDispatchConnectListAllNetworks) (remoteDispatchConnectListAllInterfaces) (remoteDispatchConnectListAllNodeDevices) (remoteDispatchConnectListAllNWFilters) (remoteDispatchConnectListAllSecrets) (remoteDispatchNetworkGetDHCPLeases): Plug leak. Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
parent
bb0bf87b24
commit
3c2ff5029b
@ -1609,11 +1609,10 @@ remoteDispatchConnectListAllDomains(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (doms && ndomains > 0) {
|
if (doms && ndomains > 0)
|
||||||
for (i = 0; i < ndomains; i++)
|
for (i = 0; i < ndomains; i++)
|
||||||
virObjectUnref(doms[i]);
|
virObjectUnref(doms[i]);
|
||||||
VIR_FREE(doms);
|
VIR_FREE(doms);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4605,11 +4604,10 @@ remoteDispatchDomainListAllSnapshots(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
virObjectUnref(dom);
|
virObjectUnref(dom);
|
||||||
if (snaps && nsnaps > 0) {
|
if (snaps && nsnaps > 0)
|
||||||
for (i = 0; i < nsnaps; i++)
|
for (i = 0; i < nsnaps; i++)
|
||||||
virObjectUnref(snaps[i]);
|
virObjectUnref(snaps[i]);
|
||||||
VIR_FREE(snaps);
|
VIR_FREE(snaps);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4674,11 +4672,10 @@ remoteDispatchDomainSnapshotListAllChildren(virNetServerPtr server ATTRIBUTE_UNU
|
|||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
virObjectUnref(snapshot);
|
virObjectUnref(snapshot);
|
||||||
virObjectUnref(dom);
|
virObjectUnref(dom);
|
||||||
if (snaps && nsnaps > 0) {
|
if (snaps && nsnaps > 0)
|
||||||
for (i = 0; i < nsnaps; i++)
|
for (i = 0; i < nsnaps; i++)
|
||||||
virObjectUnref(snaps[i]);
|
virObjectUnref(snaps[i]);
|
||||||
VIR_FREE(snaps);
|
VIR_FREE(snaps);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4733,11 +4730,10 @@ remoteDispatchConnectListAllStoragePools(virNetServerPtr server ATTRIBUTE_UNUSED
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (pools && npools > 0) {
|
if (pools && npools > 0)
|
||||||
for (i = 0; i < npools; i++)
|
for (i = 0; i < npools; i++)
|
||||||
virObjectUnref(pools[i]);
|
virObjectUnref(pools[i]);
|
||||||
VIR_FREE(pools);
|
VIR_FREE(pools);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4796,11 +4792,10 @@ remoteDispatchStoragePoolListAllVolumes(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (vols && nvols > 0) {
|
if (vols && nvols > 0)
|
||||||
for (i = 0; i < nvols; i++)
|
for (i = 0; i < nvols; i++)
|
||||||
virObjectUnref(vols[i]);
|
virObjectUnref(vols[i]);
|
||||||
VIR_FREE(vols);
|
VIR_FREE(vols);
|
||||||
}
|
|
||||||
virObjectUnref(pool);
|
virObjectUnref(pool);
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
@ -4856,11 +4851,10 @@ remoteDispatchConnectListAllNetworks(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (nets && nnets > 0) {
|
if (nets && nnets > 0)
|
||||||
for (i = 0; i < nnets; i++)
|
for (i = 0; i < nnets; i++)
|
||||||
virObjectUnref(nets[i]);
|
virObjectUnref(nets[i]);
|
||||||
VIR_FREE(nets);
|
VIR_FREE(nets);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4915,11 +4909,10 @@ remoteDispatchConnectListAllInterfaces(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (ifaces && nifaces > 0) {
|
if (ifaces && nifaces > 0)
|
||||||
for (i = 0; i < nifaces; i++)
|
for (i = 0; i < nifaces; i++)
|
||||||
virObjectUnref(ifaces[i]);
|
virObjectUnref(ifaces[i]);
|
||||||
VIR_FREE(ifaces);
|
VIR_FREE(ifaces);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4974,11 +4967,10 @@ remoteDispatchConnectListAllNodeDevices(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (devices && ndevices > 0) {
|
if (devices && ndevices > 0)
|
||||||
for (i = 0; i < ndevices; i++)
|
for (i = 0; i < ndevices; i++)
|
||||||
virObjectUnref(devices[i]);
|
virObjectUnref(devices[i]);
|
||||||
VIR_FREE(devices);
|
VIR_FREE(devices);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5033,11 +5025,10 @@ remoteDispatchConnectListAllNWFilters(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (filters && nfilters > 0) {
|
if (filters && nfilters > 0)
|
||||||
for (i = 0; i < nfilters; i++)
|
for (i = 0; i < nfilters; i++)
|
||||||
virObjectUnref(filters[i]);
|
virObjectUnref(filters[i]);
|
||||||
VIR_FREE(filters);
|
VIR_FREE(filters);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5092,11 +5083,10 @@ remoteDispatchConnectListAllSecrets(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (secrets && nsecrets > 0) {
|
if (secrets && nsecrets > 0)
|
||||||
for (i = 0; i < nsecrets; i++)
|
for (i = 0; i < nsecrets; i++)
|
||||||
virObjectUnref(secrets[i]);
|
virObjectUnref(secrets[i]);
|
||||||
VIR_FREE(secrets);
|
VIR_FREE(secrets);
|
||||||
}
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -6264,11 +6254,10 @@ remoteDispatchNetworkGetDHCPLeases(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
cleanup:
|
cleanup:
|
||||||
if (rv < 0)
|
if (rv < 0)
|
||||||
virNetMessageSaveError(rerr);
|
virNetMessageSaveError(rerr);
|
||||||
if (leases && nleases > 0) {
|
if (leases && nleases > 0)
|
||||||
for (i = 0; i < nleases; i++)
|
for (i = 0; i < nleases; i++)
|
||||||
virNetworkDHCPLeaseFree(leases[i]);
|
virNetworkDHCPLeaseFree(leases[i]);
|
||||||
VIR_FREE(leases);
|
VIR_FREE(leases);
|
||||||
}
|
|
||||||
virObjectUnref(net);
|
virObjectUnref(net);
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user