Re: [libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
On 26.01.2016 19:25, Jason J. Herne wrote: > libvirtd crashes on free()ing portData for an open vswitch port if that port > was deleted. To reproduce: > > ovs-vsctl del-port vnet0 > virsh migrate --live kvm1 qemu+ssh://dstHost/system > > Error message: > libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: > 0x03ff90001e20 *** > > The problem is that virCommandRun can return an empty string in the event that > the port being queried does not exist. When this happens then we are > unconditionally overwriting a newline character at position strlen()-1. When > strlen is 0, we overwrite memory that does not belong to the string. > > The fix: Only overwrite the newline if the string is not empty. > > Reviewed-by: Bjoern Walk > Signed-off-by: Jason J. Herne > --- > src/util/virnetdevopenvswitch.c | 6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c > index 6780fb5..0f640d0 100644 > --- a/src/util/virnetdevopenvswitch.c > +++ b/src/util/virnetdevopenvswitch.c > @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, > const char *ifname) > goto cleanup; > } > > -/* Wipeout the newline */ > -(*migrate)[strlen(*migrate) - 1] = '\0'; > +/* Wipeout the newline, if it exists */ > +if (strlen(*migrate) > 0) { > +(*migrate)[strlen(*migrate) - 1] = '\0'; > +} I'd rather see us computing the length of string once but I guess compiler is wise enough to optimize the code for us. Michal -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
On Tue, 2016-01-26 at 13:25 -0500, Jason J. Herne wrote: > libvirtd crashes on free()ing portData for an open vswitch port if that port > was deleted. To reproduce: > > ovs-vsctl del-port vnet0 > virsh migrate --live kvm1 qemu+ssh://dstHost/system > > Error message: > libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: > 0x03ff90001e20 *** > > The problem is that virCommandRun can return an empty string in the event that > the port being queried does not exist. When this happens then we are > unconditionally overwriting a newline character at position strlen()-1. When > strlen is 0, we overwrite memory that does not belong to the string. > > The fix: Only overwrite the newline if the string is not empty. > > Reviewed-by: Bjoern Walk > Signed-off-by: Jason J. Herne > --- > src/util/virnetdevopenvswitch.c | 6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c > index 6780fb5..0f640d0 100644 > --- a/src/util/virnetdevopenvswitch.c > +++ b/src/util/virnetdevopenvswitch.c > @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, > const char *ifname) > goto cleanup; > } > > -/* Wipeout the newline */ > -(*migrate)[strlen(*migrate) - 1] = '\0'; > +/* Wipeout the newline, if it exists */ > +if (strlen(*migrate) > 0) { > +(*migrate)[strlen(*migrate) - 1] = '\0'; > +} > ret = 0; > cleanup: > virCommandFree(cmd); Amended to prevent Curly brackets around single-line body: src/util/virnetdevopenvswitch.c:226-228: if (strlen(*migrate) > 0) { (*migrate)[strlen(*migrate) - 1] = '\0'; } maint.mk: incorrect formatting, see HACKING for rules cfg.mk:1084: recipe for target 'bracket-spacing-check' failed on 'make syntax-check' and pushed. Cheers. -- Andrea Bolognani Software Engineer - Virtualization Team -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port
libvirtd crashes on free()ing portData for an open vswitch port if that port was deleted. To reproduce: ovs-vsctl del-port vnet0 virsh migrate --live kvm1 qemu+ssh://dstHost/system Error message: libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x03ff90001e20 *** The problem is that virCommandRun can return an empty string in the event that the port being queried does not exist. When this happens then we are unconditionally overwriting a newline character at position strlen()-1. When strlen is 0, we overwrite memory that does not belong to the string. The fix: Only overwrite the newline if the string is not empty. Reviewed-by: Bjoern Walk Signed-off-by: Jason J. Herne --- src/util/virnetdevopenvswitch.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index 6780fb5..0f640d0 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) goto cleanup; } -/* Wipeout the newline */ -(*migrate)[strlen(*migrate) - 1] = '\0'; +/* Wipeout the newline, if it exists */ +if (strlen(*migrate) > 0) { +(*migrate)[strlen(*migrate) - 1] = '\0'; +} ret = 0; cleanup: virCommandFree(cmd); -- 1.9.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list