Re: [libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
On 26.01.2016 19:25, Jason J. Herne wrote:
> libvirtd crashes on free()ing portData for an open vswitch port if that port
> was deleted. To reproduce:
>
> ovs-vsctl del-port vnet0
> virsh migrate --live kvm1 qemu+ssh://dstHost/system
>
> Error message:
> libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer:
> 0x03ff90001e20 ***
>
> The problem is that virCommandRun can return an empty string in the event that
> the port being queried does not exist. When this happens then we are
> unconditionally overwriting a newline character at position strlen()-1. When
> strlen is 0, we overwrite memory that does not belong to the string.
>
> The fix: Only overwrite the newline if the string is not empty.
>
> Reviewed-by: Bjoern Walk
> Signed-off-by: Jason J. Herne
> ---
> src/util/virnetdevopenvswitch.c | 6 --
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
> index 6780fb5..0f640d0 100644
> --- a/src/util/virnetdevopenvswitch.c
> +++ b/src/util/virnetdevopenvswitch.c
> @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate,
> const char *ifname)
> goto cleanup;
> }
>
> -/* Wipeout the newline */
> -(*migrate)[strlen(*migrate) - 1] = '\0';
> +/* Wipeout the newline, if it exists */
> +if (strlen(*migrate) > 0) {
> +(*migrate)[strlen(*migrate) - 1] = '\0';
> +}
I'd rather see us computing the length of string once but I guess
compiler is wise enough to optimize the code for us.
Michal
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
On Tue, 2016-01-26 at 13:25 -0500, Jason J. Herne wrote:
> libvirtd crashes on free()ing portData for an open vswitch port if that port
> was deleted. To reproduce:
>
> ovs-vsctl del-port vnet0
> virsh migrate --live kvm1 qemu+ssh://dstHost/system
>
> Error message:
> libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer:
> 0x03ff90001e20 ***
>
> The problem is that virCommandRun can return an empty string in the event that
> the port being queried does not exist. When this happens then we are
> unconditionally overwriting a newline character at position strlen()-1. When
> strlen is 0, we overwrite memory that does not belong to the string.
>
> The fix: Only overwrite the newline if the string is not empty.
>
> Reviewed-by: Bjoern Walk
> Signed-off-by: Jason J. Herne
> ---
> src/util/virnetdevopenvswitch.c | 6 --
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
> index 6780fb5..0f640d0 100644
> --- a/src/util/virnetdevopenvswitch.c
> +++ b/src/util/virnetdevopenvswitch.c
> @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate,
> const char *ifname)
> goto cleanup;
> }
>
> -/* Wipeout the newline */
> -(*migrate)[strlen(*migrate) - 1] = '\0';
> +/* Wipeout the newline, if it exists */
> +if (strlen(*migrate) > 0) {
> +(*migrate)[strlen(*migrate) - 1] = '\0';
> +}
> ret = 0;
> cleanup:
> virCommandFree(cmd);
Amended to prevent
Curly brackets around single-line body:
src/util/virnetdevopenvswitch.c:226-228:
if (strlen(*migrate) > 0) {
(*migrate)[strlen(*migrate) - 1] = '\0';
}
maint.mk: incorrect formatting, see HACKING for rules
cfg.mk:1084: recipe for target 'bracket-spacing-check' failed
on 'make syntax-check' and pushed.
Cheers.
--
Andrea Bolognani
Software Engineer - Virtualization Team
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
libvirtd crashes on free()ing portData for an open vswitch port if that port
was deleted. To reproduce:
ovs-vsctl del-port vnet0
virsh migrate --live kvm1 qemu+ssh://dstHost/system
Error message:
libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer:
0x03ff90001e20 ***
The problem is that virCommandRun can return an empty string in the event that
the port being queried does not exist. When this happens then we are
unconditionally overwriting a newline character at position strlen()-1. When
strlen is 0, we overwrite memory that does not belong to the string.
The fix: Only overwrite the newline if the string is not empty.
Reviewed-by: Bjoern Walk
Signed-off-by: Jason J. Herne
---
src/util/virnetdevopenvswitch.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
index 6780fb5..0f640d0 100644
--- a/src/util/virnetdevopenvswitch.c
+++ b/src/util/virnetdevopenvswitch.c
@@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate,
const char *ifname)
goto cleanup;
}
-/* Wipeout the newline */
-(*migrate)[strlen(*migrate) - 1] = '\0';
+/* Wipeout the newline, if it exists */
+if (strlen(*migrate) > 0) {
+(*migrate)[strlen(*migrate) - 1] = '\0';
+}
ret = 0;
cleanup:
virCommandFree(cmd);
--
1.9.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
