From nobody Sun Feb  8 17:41:24 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1662724710; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mWYxFBkWfxzHOBHwr/0QsWoEXcowaCD1aVoAtIZHez71xA6yGMHf/O0nl6jjeGo38w89G+T4o7Oh3oBZvru0OjBfuUTFMlVXYrjgkAiyaYQ6QxtKpNVVBV4QS+o2kN6B5Jbd+H3aOPym6R2SM/JB7BK8fhC66cnOyyorl97z+Zg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1662724710;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=J7+8yuL85XVuhF+/8KsHf+t50gvCNXtae5OfScvdryg=;
	b=COiEpORdqwAiy0xLcJhOz71lJu274QpBznLFh2PVivwW72UhGrhz4cosKYV2wiNeniUcfkic5rrZdHbPVWcXWHR0rUKBj5xpAiD8F8sNO47Pv3FVMnXtmuQWhNiT2/ijYQ5hcyTmQxBuPjoc53CoK8qmY0UM0/2Sm9NnhgstusY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1662724710331235.9214063131892;
 Fri, 9 Sep 2022 04:58:30 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-602-VcsYTIMvMUqX8tB50V3jiw-1; Fri, 09 Sep 2022 07:58:26 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
 [10.11.54.7])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ACD9883DE3C;
	Fri,  9 Sep 2022 11:58:24 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id F396D1410F3C;
	Fri,  9 Sep 2022 11:58:23 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 5E1761946A44;
	Fri,  9 Sep 2022 11:58:23 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id EDFD41946A41 for <libvir-list@listman.corp.redhat.com>;
 Fri,  9 Sep 2022 11:58:21 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id E096F2166B29; Fri,  9 Sep 2022 11:58:21 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.30])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 31EE82166B26
 for <libvir-list@redhat.com>; Fri,  9 Sep 2022 11:58:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1662724709;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=J7+8yuL85XVuhF+/8KsHf+t50gvCNXtae5OfScvdryg=;
	b=ZqdlfD+vfgnYeNmMUxV0uRuNL7d07Ic5u1jo5ucgFyaOG1LN/ydIBtwkIPipcOBhsdPuwT
	pwhCyu1PAF/k396tBV/Mbg583W17TeQ6DMNhl951LaykpcQzxMqpp1QC9Pap1DryedeRh0
	v4b4U/1GYeLxx/AoLZ2bP7TGJmXzjvI=
X-MC-Unique: VcsYTIMvMUqX8tB50V3jiw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH v2 1/9] virConnectOpenInternal: Avoid double free() when alias
 is an invalid URI
Date: Fri,  9 Sep 2022 13:58:11 +0200
Message-Id: 
 <4f08a463d82ed91be33767bcb3e17d01cbc23ebb.1662723003.git.pkrempa@redhat.com>
In-Reply-To: <cover.1662723003.git.pkrempa@redhat.com>
References: <cover.1662723003.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1662724711926100001
Content-Type: text/plain; charset="utf-8"

Configuring an URI alias such as

  uri_aliases =3D [
      "blah=3Dqemu://invaliduri@@@",
  ]

Results in a double free when the alias is used:

  $ virsh -c blah
  free(): double free detected in tcache 2
  Aborted (core dumped)

This happens as the 'alias' variable is first assigned to 'uristr' which
is cleared in the 'failed' label and then is explicitly freed again.

Fix this by switching to 'g_autofree' for alias and stealing it into
'uristr'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/libvirt.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index b78b49a632..7e7c0fc8e3 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -933,21 +933,19 @@ virConnectOpenInternal(const char *name,
     }

     if (uristr) {
-        char *alias =3D NULL;
+        g_autofree char *alias =3D NULL;

         if (!(flags & VIR_CONNECT_NO_ALIASES) &&
             virURIResolveAlias(conf, uristr, &alias) < 0)
             goto failed;

         if (alias) {
-            VIR_FREE(uristr);
-            uristr =3D alias;
+            g_free(uristr);
+            uristr =3D g_steal_pointer(&alias);
         }

-        if (!(ret->uri =3D virURIParse(uristr))) {
-            VIR_FREE(alias);
+        if (!(ret->uri =3D virURIParse(uristr)))
             goto failed;
-        }

         /* Avoid need for drivers to worry about NULLs, as
          * no one needs to distinguish "" vs NULL */
--=20
2.37.1