From 3fd2b1e9d0db822823bd15db6ba6825d0b806dfb Mon Sep 17 00:00:00 2001 From: Alex Jia Date: Thu, 27 Oct 2011 15:18:00 +0800 Subject: [PATCH] lxc: avoid null deref on lxcSetupLoopDevices failure If the function lxcSetupLoopDevices(def, &nloopDevs, &loopDevs) failed, the variable loopDevs will keep a initial NULL value, however, the function VIR_FORCE_CLOSE(loopDevs[i]) will directly deref it. This patch also fixes returning a bogous number of devices from lxcSetupLoopDevices on an error path. * rc/lxc/lxc_controller.c: fixed a null pointer dereference. Signed-off-by: Alex Jia --- src/lxc/lxc_controller.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index c4e7832525..7603bc7e89 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -208,6 +208,7 @@ static int lxcSetupLoopDevices(virDomainDefPtr def, size_t *nloopDevs, int **loo VIR_DEBUG("Saving loop fd %d", fd); if (VIR_REALLOC_N(*loopDevs, *nloopDevs+1) < 0) { + *nloopDevs = 0; VIR_FORCE_CLOSE(fd); virReportOOMError(); goto cleanup; @@ -1017,8 +1018,11 @@ cleanup: VIR_FORCE_CLOSE(containerhandshake[0]); VIR_FORCE_CLOSE(containerhandshake[1]); - for (i = 0 ; i < nloopDevs ; i++) - VIR_FORCE_CLOSE(loopDevs[i]); + if (loopDevs) { + for (i = 0 ; i < nloopDevs ; i++) + VIR_FORCE_CLOSE(loopDevs[i]); + } + VIR_FREE(loopDevs); if (container > 1) {