util: Avoid libvirtd crash in virNetDevTapCreate

In fact, the 'tapfd' is always NULL, the function 'virNetDevTapCreate()' hasn't
assign 'fd' to 'tapfd', when the function 'virNetDevSetMAC()' is failed then
goto 'error' label, finally, the VIR_FORCE_CLOSE() will deref a NULL 'tapfd'.

* util/virnetdevtap.c (virNetDevTapCreateInBridgePort): fix a NULL pointer derefing.

* How to reproduce?

$ cat > /tmp/net.xml <<EOF
<network>
  <name>test</name>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='00:00:00:00:00:00'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
    </dhcp>
  </ip>
</network>
EOF

$ virsh net-define /tmp/net.xml

$ virsh net-start test
error: Failed to start network brTest
error: End of file while reading data: Input/output error

Signed-off-by: Alex Jia <ajia@redhat.com>

diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c
index 0b3ac4618315be2229d2106e1ffffa4aac6fc41b..5d21164c82e611d2a4a5c72f264dabbd62104e7e 100644 (file)
--- a/src/util/virnetdevtap.c
+++ b/src/util/virnetdevtap.c
@@ -341,7 +341,8 @@ int virNetDevTapCreateInBridgePort(const char *brname,
     return 0;
 
  error:
-    VIR_FORCE_CLOSE(*tapfd);
+    if (tapfd)
+        VIR_FORCE_CLOSE(*tapfd);
 
     return errno;
 }