From nobody Sat Feb  7 05:14:23 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1662650181; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RtaSjXYKvkvt0WEg6vFggukEB9c56x/4o9JF31lVbeqn1u8z3jkcxZMcVTND0/yxHCzV2HPuZCerwYe7F2Kq4zwD4i1P9HIyvW1Z6RL2XplPy6E+DkIgMEdJS7SZxdtnEZBnYO+qAFccqTcFSYkjydCgcd14SiSf6KEl8ZcRs4E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1662650181;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=J7+8yuL85XVuhF+/8KsHf+t50gvCNXtae5OfScvdryg=;
	b=Gr1BqAextexVcWa1e+7ti39sr4sVwKkXe2TrTZQ34UZ6ocbdtpLy1rY4K8B5uz7SVFbsD4GOz6pYaBcjovPc289P98xc2B5lZyz3GNGSV+s8sqcEwCUjYGGWSjfmPNE6MMlc+9NppiEjK30epasXGBU5cUYoFGl3QSYN+p6dxhA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1662650181329435.5379271588761;
 Thu, 8 Sep 2022 08:16:21 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-529-PVxHO9v3OLmx2FbI2uY73Q-1; Thu, 08 Sep 2022 11:16:16 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com
 [10.11.54.1])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 84505803C9F;
	Thu,  8 Sep 2022 15:16:05 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 6DBF640CF8F0;
	Thu,  8 Sep 2022 15:16:05 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 3E7121946A44;
	Thu,  8 Sep 2022 15:16:05 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
 [10.11.54.7])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 8EA5D1946A41 for <libvir-list@listman.corp.redhat.com>;
 Thu,  8 Sep 2022 15:16:03 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 7D6E91415133; Thu,  8 Sep 2022 15:16:03 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.30])
 by smtp.corp.redhat.com (Postfix) with ESMTP id ECB011410F36
 for <libvir-list@redhat.com>; Thu,  8 Sep 2022 15:16:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1662650180;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=J7+8yuL85XVuhF+/8KsHf+t50gvCNXtae5OfScvdryg=;
	b=ewoklwzGD93ZJOC11pYK9pWaP6opx9kHIa7Gf7kb+fIxo7Xn/edQphsY4+HtbnyIpPfncs
	CyPBSyYAohEssBM1ehJjk6/Fhp9BNE9clqoFvTRtWZYLMc+fjqBOjkDHai00UIAhxqYaVW
	u4ah2eDu1T676hmr3ceoMPzzvVKlS7Y=
X-MC-Unique: PVxHO9v3OLmx2FbI2uY73Q-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/6] virConnectOpenInternal: Avoid double free() when alias is
 an invalid URI
Date: Thu,  8 Sep 2022 17:15:55 +0200
Message-Id: 
 <2ad2a9c44ee444a5f5f51c8dc97bb172921a74e6.1662650080.git.pkrempa@redhat.com>
In-Reply-To: <cover.1662650080.git.pkrempa@redhat.com>
References: <cover.1662650080.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1662650182438100003
Content-Type: text/plain; charset="utf-8"

Configuring an URI alias such as

  uri_aliases =3D [
      "blah=3Dqemu://invaliduri@@@",
  ]

Results in a double free when the alias is used:

  $ virsh -c blah
  free(): double free detected in tcache 2
  Aborted (core dumped)

This happens as the 'alias' variable is first assigned to 'uristr' which
is cleared in the 'failed' label and then is explicitly freed again.

Fix this by switching to 'g_autofree' for alias and stealing it into
'uristr'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/libvirt.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index b78b49a632..7e7c0fc8e3 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -933,21 +933,19 @@ virConnectOpenInternal(const char *name,
     }

     if (uristr) {
-        char *alias =3D NULL;
+        g_autofree char *alias =3D NULL;

         if (!(flags & VIR_CONNECT_NO_ALIASES) &&
             virURIResolveAlias(conf, uristr, &alias) < 0)
             goto failed;

         if (alias) {
-            VIR_FREE(uristr);
-            uristr =3D alias;
+            g_free(uristr);
+            uristr =3D g_steal_pointer(&alias);
         }

-        if (!(ret->uri =3D virURIParse(uristr))) {
-            VIR_FREE(alias);
+        if (!(ret->uri =3D virURIParse(uristr)))
             goto failed;
-        }

         /* Avoid need for drivers to worry about NULLs, as
          * no one needs to distinguish "" vs NULL */
--=20
2.37.1