External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

vbox: fix a segfault when taking a snapshot

Browse Source 
there is a segfault in the vbox driver when taking a snapshot in the
following functions:
- vboxDomainGetXMLDesc
- vboxSnapshotGetReadWriteDisks
- vboxSnapshotGetReadOnlyDisks

The virStorageSourcePtr in virDomainDiskDef was not correctly allocated.

(The problem stems from the fact that commit 4dc5d8f and commit bc3f5f1
were written in one order but applied in another; so each tested in
isolation passed, but the combination introduces the problem due to
changed semantics).

Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Yohan BELLEGUIC 2014-06-17 10:28:41 +02:00 committed by Eric Blake
parent 28427e6b2a
commit 49ce28d668
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/vbox/vbox_tmpl.c
View File

@ -2872,10 +2872,12 @@ static char *vboxDomainGetXMLDesc(virDomainPtr dom, unsigned int flags) {
/* Allocate mem, if fails return error */
if (VIR_ALLOC_N(def->disks, def->ndisks) >= 0) {
for (i = 0; i < def->ndisks; i++) {
if (VIR_ALLOC(def->disks[i]) < 0) {
virDomainDiskDefPtr disk = virDomainDiskDefNew();
if (!disk) {
error = true;
break;
}
def->disks[i] = disk;
}
} else {
error = true;
@ -7175,6 +7177,10 @@ int vboxSnapshotGetReadWriteDisks(virDomainSnapshotDefPtr def,
/* Allocate mem, if fails return error */
if (VIR_ALLOC_N(def->disks, def->ndisks) < 0)
goto cleanup;
for (i = 0; i < def->ndisks; i++) {
if (VIR_ALLOC(def->disks[i].src) < 0)
goto cleanup;
}
if (!vboxGetMaxPortSlotValues(data->vboxObj, maxPortPerInst, maxSlotPerPort))
goto cleanup;
@ -7302,11 +7308,11 @@ int vboxSnapshotGetReadWriteDisks(virDomainSnapshotDefPtr def,
ret = 0;
cleanup:
if (ret < 0) {
for (i = 0; i < def->dom->ndisks; i++)
VIR_FREE(def->dom->disks[i]);
VIR_FREE(def->dom->disks);
def->dom->ndisks = 0;
ret = -1;
for (i = 0; i < def->ndisks; i++) {
VIR_FREE(def->disks[i].src);
}
VIR_FREE(def->disks);
def->ndisks = 0;
}
VBOX_RELEASE(snap);
return ret;
@ -7380,8 +7386,10 @@ int vboxSnapshotGetReadOnlyDisks(virDomainSnapshotPtr snapshot,
/* Allocate mem, if fails return error */
if (VIR_ALLOC_N(def->dom->disks, def->dom->ndisks) >= 0) {
for (i = 0; i < def->dom->ndisks; i++) {
if (VIR_ALLOC(def->dom->disks[i]) < 0)
virDomainDiskDefPtr diskDef = virDomainDiskDefNew();
if (!diskDef)
goto cleanup;
def->dom->disks[i] = diskDef;
}
} else {
goto cleanup;
@ -7516,7 +7524,7 @@ int vboxSnapshotGetReadOnlyDisks(virDomainSnapshotPtr snapshot,
cleanup:
if (ret < 0) {
for (i = 0; i < def->dom->ndisks; i++)
VIR_FREE(def->dom->disks[i]);
virDomainDiskDefFree(def->dom->disks[i]);
VIR_FREE(def->dom->disks);
def->dom->ndisks = 0;
}