mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 04:25:18 +00:00
virDomainObjListAddLocked: fix double free
If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked returns NULL (although the definition actually exists). Therefore, the possibility exits that "virHashAddEntry" will raise the error "Duplicate key" => virDomainObjListAddObjLocked fails => virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def since @def is already assigned to vm->def. But actually this leads to a double free since the common usage pattern is that the caller of virDomainObjListAdd(Locked) is responsible for freeing @def in case of an error. Let's fix this by setting vm->def to NULL in case of an error. Backtrace: ➤ bt #0 virFree (ptrptr=0x7575757575757575) #1 0x000003ffb5b25b3e in virDomainResourceDefFree #2 0x000003ffb5b37c34 in virDomainDefFree #3 0x000003ff9123f734 in qemuDomainDefineXMLFlags #4 0x000003ff9123f7f4 in qemuDomainDefineXML #5 0x000003ffb5cd2c84 in virDomainDefineXML #6 0x000000011745aa82 in remoteDispatchDomainDefineXML ... Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com> Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
This commit is contained in:
parent
6c5f6cdab9
commit
7e760f6157
@ -329,9 +329,11 @@ virDomainObjListAddLocked(virDomainObjListPtr doms,
|
||||
goto cleanup;
|
||||
vm->def = def;
|
||||
|
||||
if (virDomainObjListAddObjLocked(doms, vm) < 0)
|
||||
if (virDomainObjListAddObjLocked(doms, vm) < 0) {
|
||||
vm->def = NULL;
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
cleanup:
|
||||
return vm;
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user