git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Marc Hartmayer <mhartmay@linux.ibm.com>
	Mon, 27 Aug 2018 13:20:13 +0000 (15:20 +0200)
committer	Michal Privoznik <mprivozn@redhat.com>
	Wed, 29 Aug 2018 08:02:03 +0000 (10:02 +0200)
commit	7e760f61577e6c4adbb0b015f8f7ac1796570cdd
tree	77dacf7796ef0c50ca046c972b203e54502047c4	tree \| snapshot
parent	6c5f6cdab95c7c98b8a0ee6a7e6ccbab450ed7fc	commit \| diff

virDomainObjListAddLocked: fix double free

If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked
returns NULL (although the definition actually exists). Therefore, the
possibility exits that "virHashAddEntry" will raise the error
"Duplicate key" => virDomainObjListAddObjLocked fails =>
virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def
since @def is already assigned to vm->def. But actually this leads to
a double free since the common usage pattern is that the caller of
virDomainObjListAdd(Locked) is responsible for freeing @def in case of
an error.

Let's fix this by setting vm->def to NULL in case of an error.

Backtrace:

   ➤  bt
   #0  virFree (ptrptr=0x7575757575757575)
   #1  0x000003ffb5b25b3e in virDomainResourceDefFree
   #2  0x000003ffb5b37c34 in virDomainDefFree
   #3  0x000003ff9123f734 in qemuDomainDefineXMLFlags
   #4  0x000003ff9123f7f4 in qemuDomainDefineXML
   #5  0x000003ffb5cd2c84 in virDomainDefineXML
   #6  0x000000011745aa82 in remoteDispatchDomainDefineXML
   ...

Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>