virLockSpaceNewPostExecRestart: Fix out-of-bounds array access

'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
'res->nOwners' doesn't contain the proper value until after the
allocation so 0 elements are allocated. The following loop which assumes
that the array has the right number of elements then accesses the
pointer out of bounds. The bug was also faithfully converted from
VIR_ALLOC_N to g_new0.

Fixes: 4a3d6ed5ee0
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/util/virlockspace.c b/src/util/virlockspace.c
index 9e80db6a0c96c8f0af9b75c95ecf56413d5155a4..0d6cff37074d6e7d8cd23d026226856604839ed5 100644 (file)
--- a/src/util/virlockspace.c
+++ b/src/util/virlockspace.c
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONValuePtr object)
         const char *tmp;
         virJSONValuePtr owners;
         size_t j;
-        size_t m;
 
         res = g_new0(virLockSpaceResource, 1);
         res->fd = -1;
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONValuePtr object)
             goto error;
         }
 
-        m = virJSONValueArraySize(owners);
+        res->nOwners = virJSONValueArraySize(owners);
         res->owners = g_new0(pid_t, res->nOwners);
-        res->nOwners = m;
 
         for (j = 0; j < res->nOwners; j++) {
             unsigned long long int owner;