virConnectOpenInternal: Avoid double free() when alias is an invalid URI

Configuring an URI alias such as

  uri_aliases = [
      "blah=qemu://invaliduri@@@",
  ]

Results in a double free when the alias is used:

  $ virsh -c blah
  free(): double free detected in tcache 2
  Aborted (core dumped)

This happens as the 'alias' variable is first assigned to 'uristr' which
is cleared in the 'failed' label and then is explicitly freed again.

Fix this by stealing the alias into 'uristr' and removing the
unnecessary freeing.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/libvirt.c b/src/libvirt.c
index b78b49a632de8db7365f6befb64b544a00183878..19379a2a53506bd326dff03767534e22c1516ca0 100644 (file)
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -940,14 +940,12 @@ virConnectOpenInternal(const char *name,
             goto failed;
 
         if (alias) {
-            VIR_FREE(uristr);
-            uristr = alias;
+            g_free(uristr);
+            uristr = g_steal_pointer(&alias);
         }
 
-        if (!(ret->uri = virURIParse(uristr))) {
-            VIR_FREE(alias);
+        if (!(ret->uri = virURIParse(uristr)))
             goto failed;
-        }
 
         /* Avoid need for drivers to worry about NULLs, as
          * no one needs to distinguish "" vs NULL */