From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 9 Jul 2012 12:10:05 +0000 (+0200)
Subject: storage_backend_fs: Don't free a part of a structure on error
X-Git-Tag: CVE-2012-3445~201
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab9c72ae9e55e7190f52ad1550624630a5c7f78b;p=thirdparty%2Flibvirt.git

storage_backend_fs: Don't free a part of a structure on error

As the storage pool sources are stored in a list of structs, the pointer
returned by virStoragePoolSourceListNewSource() shouldn't be freed as it
points in the middle of a memory block. This combined with a regression
that takes the error path every time on caused a double-free abort on
the src struct in question.
---

diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c
index c736496ef3..5e3da14963 100644
--- a/src/storage/storage_backend_fs.c
+++ b/src/storage/storage_backend_fs.c
@@ -218,10 +218,8 @@ virStorageBackendFileSystemNetFindPoolSourcesFunc(virStoragePoolObjPtr pool ATTR
     }
     src->format = VIR_STORAGE_POOL_NETFS_NFS;
 
-    src = NULL;
     ret = 0;
 cleanup:
-    virStoragePoolSourceFree(src);
     return ret;
 }