[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] libxl: don't leak gc pointers to caller's structs; prevent double free

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Sep 2010 14:40:41 -0700
Delivery-date: Fri, 10 Sep 2010 14:43:05 -0700
List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch
# User Gianni Tedesco <gianni.tedesco@xxxxxxxxxx>
# Date 1284140940 -3600
# Node ID 8caf87c7a017d69ecb74fbb9aa506b02db938ea2
# Parent  d57c33873eede42abedc6534150ac6f8cb6ca237
libxl: don't leak gc pointers to caller's structs; prevent double free

libxl_build_device_model uses a pointer in a caller supplied data
structure to synthesize a vif-name if one is not supplied. This is bad
juju because the caller may want to free this pointer but by the time it
get's a chance the gc has already done so. Switch to using a local
variable for this pointer and avoid a double-free in the domain create
path.

Gianni Tedesco <gianni.tedesco@xxxxxxxxxx>
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
 tools/libxl/libxl.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff -r d57c33873eed -r 8caf87c7a017 tools/libxl/libxl.c
--- a/tools/libxl/libxl.c       Fri Sep 10 18:47:53 2010 +0100
+++ b/tools/libxl/libxl.c       Fri Sep 10 18:49:00 2010 +0100
@@ -1190,14 +1190,17 @@ static char ** libxl_build_device_model_
                 char *smac = libxl__sprintf(gc, 
"%02x:%02x:%02x:%02x:%02x:%02x",
                                            vifs[i].mac[0], vifs[i].mac[1], 
vifs[i].mac[2],
                                            vifs[i].mac[3], vifs[i].mac[4], 
vifs[i].mac[5]);
+                char *ifname;
                 if (!vifs[i].ifname)
-                    vifs[i].ifname = libxl__sprintf(gc, "tap%d.%d", 
info->domid, vifs[i].devid);
+                    ifname = libxl__sprintf(gc, "tap%d.%d", info->domid, 
vifs[i].devid);
+                else
+                    ifname = vifs[i].ifname;
                 flexarray_set(dm_args, num++, "-net");
                 flexarray_set(dm_args, num++, libxl__sprintf(gc, 
"nic,vlan=%d,macaddr=%s,model=%s",
                             vifs[i].devid, smac, vifs[i].model));
                 flexarray_set(dm_args, num++, "-net");
                 flexarray_set(dm_args, num++, libxl__sprintf(gc, 
"tap,vlan=%d,ifname=%s,bridge=%s,script=no",
-                            vifs[i].devid, vifs[i].ifname, vifs[i].bridge));
+                            vifs[i].devid, ifname, vifs[i].bridge));
                 ioemu_vifs++;
             }
         }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen-unstable] xl: use xlu_cfg_replace_string in a few more places.
Next by Date: [Xen-changelog] [xen-unstable] xl: don't leak a lot of memory in forked process in domain_create
Previous by thread: [Xen-changelog] [xen-unstable] xl: use xlu_cfg_replace_string in a few more places.
Next by thread: [Xen-changelog] [xen-unstable] xl: don't leak a lot of memory in forked process in domain_create
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.