External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

virEventPollDispatchHandles: Honour array boundaries

Browse Source 
When dispatching events from the event loop, the array of registered
handles is searched to see what handles happened an event on. However,
the array is searched in weird way: the check for the array boundaries
is at the end, so we may touch the elements after the end of the
array:

==10434== Invalid read of size 4
==10434==    at 0x52D06B6: virEventPollDispatchHandles (vireventpoll.c:486)
==10434==    by 0x52D10E4: virEventPollRunOnce (vireventpoll.c:660)
==10434==    by 0x52CF207: virEventRunDefaultImpl (virevent.c:308)
==10434==    by 0x1639D1: virNetServerRun (virnetserver.c:1139)
==10434==    by 0x1220DC: main (libvirtd.c:1507)
==10434==  Address 0xc11ff04 is 4 bytes after a block of size 960 alloc'd
==10434==    at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10434==    by 0x52AD378: virReallocN (viralloc.c:245)
==10434==    by 0x52AD46E: virExpandN (viralloc.c:294)
==10434==    by 0x52AD5B1: virResizeN (viralloc.c:352)
==10434==    by 0x52CF2EC: virEventPollAddHandle (vireventpoll.c:116)
==10434==    by 0x52CEF5B: virEventAddHandle (virevent.c:78)
==10434==    by 0x11F69A90: nodeStateInitialize (node_device_udev.c:1797)
==10434==    by 0x53C3C89: virStateInitialize (libvirt.c:743)
==10434==    by 0x120563: daemonRunStateInit (libvirtd.c:919)
==10434==    by 0x5317719: virThreadHelper (virthread.c:197)
==10434==    by 0x8376F39: start_thread (in /lib64/libpthread-2.17.so)
==10434==    by 0x8A7F9FC: clone (in /lib64/libc-2.17.so)

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik 2014-07-09 09:37:20 +02:00
parent 036dd423d4
commit 52f50a7160
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/util/vireventpoll.c
View File

@ -483,9 +483,9 @@ static int virEventPollDispatchHandles(int nfds, struct pollfd *fds)
* fds might be added on end of list, and they're not
* in the fds array we've got */
for (i = 0, n = 0; n < nfds && i < eventLoop.handlesCount; n++) {
while ((eventLoop.handles[i].fd != fds[n].fd ||
eventLoop.handles[i].events == 0) &&
i < eventLoop.handlesCount) {
while (i < eventLoop.handlesCount &&
(eventLoop.handles[i].fd != fds[n].fd ||
eventLoop.handles[i].events == 0)) {
i++;
}
if (i == eventLoop.handlesCount)