From nobody Sat May 18 12:30:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1673347409; cv=none; d=zohomail.com; s=zohoarc; b=V0NHFj8vionnmCXvG/ilKEUX3K/QLAaQMwAHqiRLr+LGJQmXciN+daRvWNq3M+N0zq65kDPaMiNGr0fInVALRVQDHnp5Ecc/FtxsJkkMtcFRRcbDnohZd9ifVBJvEd3Kto+mzLG2IsXW848Sk1Zt/WpawV52/DncK6RUI4tZOhE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1673347409; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=5Vu3MgvLo5q7Uca0EUAPhPelhPWTpTTnzzEN/SCqjNM=; b=dIQvSCSsqZ8wpf8Su0c9u9U+zbPvleU/n7Jt437GkUlgLc09h8fWqK7w+lRdwduXYMhImPbYzE2C5nVfc4UAiUIRF2M8x7bAx217qk2tewM8YlCJpWgQ6km+DCW53JJJsVcqI9uZe52z8rpW7bvf3vhKHqHh0f2XHGCX0LmbKwk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1673347409337794.9919517541475; Tue, 10 Jan 2023 02:43:29 -0800 (PST) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-31-nPAG1v5PMHyi86u0x7Ru4A-1; Tue, 10 Jan 2023 05:43:23 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5D2CA3814596; Tue, 10 Jan 2023 10:43:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 476FE40C2064; Tue, 10 Jan 2023 10:43:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2C18B193F512; Tue, 10 Jan 2023 10:43:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8324F1946587 for ; Tue, 10 Jan 2023 10:42:52 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 9D4D1140EBF6; Tue, 10 Jan 2023 10:42:47 +0000 (UTC) Received: from virtlab420.virt.lab.eng.bos.redhat.com (virtlab420.virt.lab.eng.bos.redhat.com [10.19.152.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 02B71140EBF4; Tue, 10 Jan 2023 10:42:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1673347408; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5Vu3MgvLo5q7Uca0EUAPhPelhPWTpTTnzzEN/SCqjNM=; b=dHOW7vep8wleq630dOBkhtIUvoMwMVbLVtg8LIravo7lRKODFsqeXULGJK0G9uxyvOQfyE eTzi2Rv1DJ4Zb+/i+JCooAUaEnew7/y4Fug0YdULVE2biMgvxhjNlRENS6VQgyvUqTWIyB XcCCfBjjlRZLgn3nYdsEyT5DeF3HbyM= X-MC-Unique: nPAG1v5PMHyi86u0x7Ru4A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [PATCH] remote: fix double free of migration params on error Date: Tue, 10 Jan 2023 05:42:24 -0500 Message-Id: <20230110104224.2400002-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1673347411338100001 The remote_*_args methods will generally borrow pointers passed in the caller, so should not be freed. On failure of the virTypedParamsSerialize method, however, xdr_free was being called. This is presumably because it was thought that the params may have been partially serialized and need cleaning up. This is incorrect, as virTypedParamsSerialize takes care to cleanup partially serialized data. This xdr_free call would lead to free'ing the borrowed cookie pointers, which would be a double free. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Martin Kletzander --- src/remote/remote_driver.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index b0dba9057b..bb44d0004f 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -6919,8 +6919,6 @@ remoteDomainMigrateBegin3Params(virDomainPtr domain, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_begin3_params_args, - (char *) &args); goto cleanup; } =20 @@ -6981,8 +6979,6 @@ remoteDomainMigratePrepare3Params(virConnectPtr dconn, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare3_params_arg= s, - (char *) &args); goto cleanup; } =20 @@ -7063,8 +7059,6 @@ remoteDomainMigratePrepareTunnel3Params(virConnectPtr= dconn, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare_tunnel3_par= ams_args, - (char *) &args); goto cleanup; } =20 @@ -7149,8 +7143,6 @@ remoteDomainMigratePerform3Params(virDomainPtr dom, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_perform3_params_arg= s, - (char *) &args); goto cleanup; } =20 @@ -7216,8 +7208,6 @@ remoteDomainMigrateFinish3Params(virConnectPtr dconn, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_finish3_params_args, - (char *) &args); goto cleanup; } =20 @@ -7284,8 +7274,6 @@ remoteDomainMigrateConfirm3Params(virDomainPtr domain, (struct _virTypedParameterRemote **) &args= .params.params_val, &args.params.params_len, VIR_TYPED_PARAM_STRING_OKAY) < 0) { - xdr_free((xdrproc_t) xdr_remote_domain_migrate_confirm3_params_arg= s, - (char *) &args); goto cleanup; } =20 --=20 2.38.1