[libvirt] [PATCH] nwfilter: don't crash listing filters in unprivileged daemon

Daniel P. Berrange posted 1 patch 6 years, 3 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20171205164115.12972-1-berrange@redhat.com
src/nwfilter/nwfilter_driver.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
[libvirt] [PATCH] nwfilter: don't crash listing filters in unprivileged daemon
Posted by Daniel P. Berrange 6 years, 3 months ago
The unprivileged libvirtd does not support nwfilter config, by leaves the
driver active. It is supposed to result in all APIs being an effective
no-op, but several APIs rely on driver->nwfilters being non-NULL, or they
will reference a NULL pointer. Rather than adding checks for NULL in many
places, just make sure  driver->nwfilters is always initialized.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 src/nwfilter/nwfilter_driver.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index 2f9a51c405..89b767fe11 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -189,6 +189,8 @@ nwfilterStateInitialize(bool privileged,
     /* remember that we are going to use firewalld */
     driver->watchingFirewallD = (sysbus != NULL);
     driver->privileged = privileged;
+    if (!(driver->nwfilters = virNWFilterObjListNew()))
+        goto error;
 
     if (!privileged)
         return 0;
@@ -244,9 +246,6 @@ nwfilterStateInitialize(bool privileged,
         goto error;
     }
 
-    if (!(driver->nwfilters = virNWFilterObjListNew()))
-        goto error;
-
     if (virNWFilterObjListLoadAllConfigs(driver->nwfilters, driver->configDir) < 0)
         goto error;
 
@@ -271,6 +270,7 @@ nwfilterStateInitialize(bool privileged,
     virNWFilterIPAddrMapShutdown();
 
  err_free_driverstate:
+    virNWFilterObjListFree(driver->nwfilters);
     VIR_FREE(driver);
 
     return -1;
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] nwfilter: don't crash listing filters in unprivileged daemon
Posted by John Ferlan 6 years, 3 months ago

On 12/05/2017 11:41 AM, Daniel P. Berrange wrote:
> The unprivileged libvirtd does not support nwfilter config, by leaves the
> driver active. It is supposed to result in all APIs being an effective
> no-op, but several APIs rely on driver->nwfilters being non-NULL, or they
> will reference a NULL pointer. Rather than adding checks for NULL in many
> places, just make sure  driver->nwfilters is always initialized.
> 
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  src/nwfilter/nwfilter_driver.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 

I think nwfilterStateCleanup will also need a slight, but obvious
adjustment...

Reviewed-by: John Ferlan <jferlan@redhat.com>

John

(and since it's in 3.9, I need a bz to handle a backport <sigh>)

> diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
> index 2f9a51c405..89b767fe11 100644
> --- a/src/nwfilter/nwfilter_driver.c
> +++ b/src/nwfilter/nwfilter_driver.c
> @@ -189,6 +189,8 @@ nwfilterStateInitialize(bool privileged,
>      /* remember that we are going to use firewalld */
>      driver->watchingFirewallD = (sysbus != NULL);
>      driver->privileged = privileged;
> +    if (!(driver->nwfilters = virNWFilterObjListNew()))
> +        goto error;
>  
>      if (!privileged)
>          return 0;
> @@ -244,9 +246,6 @@ nwfilterStateInitialize(bool privileged,
>          goto error;
>      }
>  
> -    if (!(driver->nwfilters = virNWFilterObjListNew()))
> -        goto error;
> -
>      if (virNWFilterObjListLoadAllConfigs(driver->nwfilters, driver->configDir) < 0)
>          goto error;
>  
> @@ -271,6 +270,7 @@ nwfilterStateInitialize(bool privileged,
>      virNWFilterIPAddrMapShutdown();
>  
>   err_free_driverstate:
> +    virNWFilterObjListFree(driver->nwfilters);
>      VIR_FREE(driver);
>  
>      return -1;
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] nwfilter: don't crash listing filters in unprivileged daemon
Posted by Peter Krempa 6 years, 3 months ago
On Tue, Dec 05, 2017 at 16:48:36 -0500, John Ferlan wrote:
> 
> 
> On 12/05/2017 11:41 AM, Daniel P. Berrange wrote:
> > The unprivileged libvirtd does not support nwfilter config, by leaves the
> > driver active. It is supposed to result in all APIs being an effective
> > no-op, but several APIs rely on driver->nwfilters being non-NULL, or they
> > will reference a NULL pointer. Rather than adding checks for NULL in many
> > places, just make sure  driver->nwfilters is always initialized.
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> >  src/nwfilter/nwfilter_driver.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> 
> I think nwfilterStateCleanup will also need a slight, but obvious
> adjustment...
> 
> Reviewed-by: John Ferlan <jferlan@redhat.com>
> 
> John
> 
> (and since it's in 3.9, I need a bz to handle a backport <sigh>)

You don't need BZs for backporting it to maintenance branches.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list