On 02/09/2017 09:13 AM, Marc Hartmayer wrote:
> After freeing the data structures we have to reset the counters to
> zero. This fixes a segmentation fault when virNetDevIPInfoClear is
> called twice (e.g. this is possible in virDomainNetDefParseXML() if
> virDomainNetIPInfoParseXML(...) fails with ret < 0 (this leads to the
> first call of 'virNetDevIPInfoClear(&def->guestIP)') and the resulting
> call of virDomainNetDefFree(def) in the error path of
> virDomainNetDefParseXML() (this leads to the second call of
> virNetDevIPInfoClear(&def->guestIP), and finally to the segmentation
> fault).
ACK, and I take full responsibility for introducing the bug :-/
(This shows the danger of believing that merely moving a chunk of code
into a subordinate function that's called in place of the original code
won't lead to a regression; previously it wasn't possible to call it
twice on the same object, but now it is)
>
> Signed-off-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
> Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
> Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com>
> ---
> src/util/virnetdevip.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/util/virnetdevip.c b/src/util/virnetdevip.c
> index d159760..42fbba1 100644
> --- a/src/util/virnetdevip.c
> +++ b/src/util/virnetdevip.c
> @@ -882,10 +882,12 @@ virNetDevIPInfoClear(virNetDevIPInfoPtr ip)
> for (i = 0; i < ip->nips; i++)
> VIR_FREE(ip->ips[i]);
> VIR_FREE(ip->ips);
> + ip->nips = 0;
>
> for (i = 0; i < ip->nroutes; i++)
> virNetDevIPRouteFree(ip->routes[i]);
> VIR_FREE(ip->routes);
> + ip->nroutes = 0;
> }
>
>
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list