From nobody Sun Feb 8 19:55:34 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488901816298975.0262163275024; Tue, 7 Mar 2017 07:50:16 -0800 (PST) Received: from localhost ([::1]:51294 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1clHNN-0000ur-1c for importer@patchew.org; Tue, 07 Mar 2017 10:50:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42570) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1clHEn-0002HR-Rk for qemu-devel@nongnu.org; Tue, 07 Mar 2017 10:41:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1clHEk-0002lt-2I for qemu-devel@nongnu.org; Tue, 07 Mar 2017 10:41:21 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35404) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1clHEh-0002jN-FS; Tue, 07 Mar 2017 10:41:15 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 95AD081245; Tue, 7 Mar 2017 15:41:15 +0000 (UTC) Received: from noname.str.redhat.com (dhcp-192-197.str.redhat.com [10.33.192.197]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v27FeuUe032123; Tue, 7 Mar 2017 10:41:13 -0500 From: Kevin Wolf To: qemu-block@nongnu.org Date: Tue, 7 Mar 2017 16:40:35 +0100 Message-Id: <1488901251-16214-12-git-send-email-kwolf@redhat.com> In-Reply-To: <1488901251-16214-1-git-send-email-kwolf@redhat.com> References: <1488901251-16214-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 07 Mar 2017 15:41:15 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 11/27] sheepdog: Defuse time bomb in sd_open() error handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Markus Armbruster When qemu_opts_absorb_qdict() fails, sd_open() closes stdin, because sd->fd is still zero. Fortunately, qemu_opts_absorb_qdict() can't fail, because: 1. it only fails when qemu_opt_parse() fails, and 2. the only member of runtime_opts.desc[] is a QEMU_OPT_STRING, and 3. qemu_opt_parse() can't fail for QEMU_OPT_STRING. Defuse this ticking time bomb by jumping behind the file descriptor cleanup on error. Also do that for the error paths where sd->fd is still -1. The file descriptor cleanup happens to do nothing then, but let's not rely on that here. While there, rename label out to err, because it's on the error path, not the normal path out of the function. Signed-off-by: Markus Armbruster Reviewed-by: Eric Blake Signed-off-by: Kevin Wolf --- block/sheepdog.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/block/sheepdog.c b/block/sheepdog.c index 7434710..c3ee4ce 100644 --- a/block/sheepdog.c +++ b/block/sheepdog.c @@ -1392,7 +1392,7 @@ static int sd_open(BlockDriverState *bs, QDict *optio= ns, int flags, if (local_err) { error_propagate(errp, local_err); ret =3D -EINVAL; - goto out; + goto err_no_fd; } =20 filename =3D qemu_opt_get(opts, "filename"); @@ -1412,17 +1412,17 @@ static int sd_open(BlockDriverState *bs, QDict *opt= ions, int flags, } if (ret < 0) { error_setg(errp, "Can't parse filename"); - goto out; + goto err_no_fd; } s->fd =3D get_sheep_fd(s, errp); if (s->fd < 0) { ret =3D s->fd; - goto out; + goto err_no_fd; } =20 ret =3D find_vdi_name(s, vdi, snapid, tag, &vid, true, errp); if (ret) { - goto out; + goto err; } =20 /* @@ -1443,7 +1443,7 @@ static int sd_open(BlockDriverState *bs, QDict *optio= ns, int flags, fd =3D connect_to_sdog(s, errp); if (fd < 0) { ret =3D fd; - goto out; + goto err; } =20 buf =3D g_malloc(SD_INODE_SIZE); @@ -1454,7 +1454,7 @@ static int sd_open(BlockDriverState *bs, QDict *optio= ns, int flags, =20 if (ret) { error_setg(errp, "Can't read snapshot inode"); - goto out; + goto err; } =20 memcpy(&s->inode, buf, sizeof(s->inode)); @@ -1466,12 +1466,12 @@ static int sd_open(BlockDriverState *bs, QDict *opt= ions, int flags, qemu_opts_del(opts); g_free(buf); return 0; -out: + +err: aio_set_fd_handler(bdrv_get_aio_context(bs), s->fd, false, NULL, NULL, NULL, NULL); - if (s->fd >=3D 0) { - closesocket(s->fd); - } + closesocket(s->fd); +err_no_fd: qemu_opts_del(opts); g_free(buf); return ret; --=20 1.8.3.1