From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Tue, 28 Feb 2017 03:54:18 +0000 (+0800)
Subject: net/colo: fix memory double free error
X-Git-Tag: v2.9.0-rc0~24^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e79668e1ffcfabb259bea6c2a2bae00a6b27252;p=thirdparty%2Fqemu.git

net/colo: fix memory double free error

The 'primary_list' and 'secondary_list' members of struct Connection
is not allocated through dynamically g_queue_new(), but we free it by using
g_queue_free(), which will lead to a double-free bug.

Reviewed-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---

diff --git a/net/colo.c b/net/colo.c
index 6a6eacd2dc2..8cc166bc222 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -147,9 +147,9 @@ void connection_destroy(void *opaque)
     Connection *conn = opaque;
 
     g_queue_foreach(&conn->primary_list, packet_destroy, NULL);
-    g_queue_free(&conn->primary_list);
+    g_queue_clear(&conn->primary_list);
     g_queue_foreach(&conn->secondary_list, packet_destroy, NULL);
-    g_queue_free(&conn->secondary_list);
+    g_queue_clear(&conn->secondary_list);
     g_slice_free(Connection, conn);
 }