From 5ee18aaa578768893918d67e0dc36fe72b73b736 Mon Sep 17 00:00:00 2001
From: Alex Jia <ajia@redhat.com>
Date: Sat, 28 Apr 2012 19:01:40 +0800
Subject: [PATCH] util: Avoid libvirtd crash in virNetDevTapCreate

In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't
assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then
goto 'error' label, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'.

* util/virnetdevtap.c (virNetDevTapCreateInBridgePort): fix a NULL pointer derefing.

* How to reproduce?

$ cat > /tmp/net.xml <<EOF
<network>
  <name>test</name>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='00:00:00:00:00:00'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
    </dhcp>
  </ip>
</network>
EOF

$ virsh net-define /tmp/net.xml

$ virsh net-start test
error: Failed to start network brTest
error: End of file while reading data: Input/output error

Signed-off-by: Alex Jia <ajia@redhat.com>
---
 src/util/virnetdevtap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c
index 0b3ac46183..5d21164c82 100644
--- a/src/util/virnetdevtap.c
+++ b/src/util/virnetdevtap.c
@@ -341,7 +341,8 @@ int virNetDevTapCreateInBridgePort(const char *brname,
     return 0;
 
  error:
-    VIR_FORCE_CLOSE(*tapfd);
+    if (tapfd)
+        VIR_FORCE_CLOSE(*tapfd);
 
     return errno;
 }