From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 6 Nov 2025 14:03:42 +0000 (+0100)
Subject: ch_process: Avoid memleak in chProcessAddNetworkDevice()
X-Git-Tag: CVE-2025-12748~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29195b7b17baca41682f92d3b068ecf9270ed7eb;p=thirdparty%2Flibvirt.git

ch_process: Avoid memleak in chProcessAddNetworkDevice()

The 'payload' variable inside of chProcessAddNetworkDevice() is
reused and thus the memory it points to just before its
repurpose is not freed. Avoid reusing g_autofree variables.

 128 bytes in 1 blocks are definitely lost in loss record 1,828 of 2,026
    at 0x491A120: realloc (vg_replace_malloc.c:1801)
    by 0x4FEC251: g_realloc (in /usr/lib64/libglib-2.0.so.0.8400.4)
    by 0x500BB7E: g_string_expand (in /usr/lib64/libglib-2.0.so.0.8400.4)
    by 0x500BBF0: g_string_sized_new (in /usr/lib64/libglib-2.0.so.0.8400.4)
    by 0x4A114C0: virBufferInitialize (virbuffer.c:121)
    by 0x4A11890: virBufferAdd (virbuffer.c:160)
    by 0x4A67344: virJSONValueToBuffer (virjson.c:1562)
    by 0x4A673DB: virJSONValueToString (virjson.c:1599)
    by 0xBC878AB: virCHMonitorBuildNetJson (ch_monitor.c:466)
    by 0xBC8D4A9: chProcessAddNetworkDevice (ch_process.c:688)
    by 0xBC8FCE2: chDomainAttachDeviceLive (ch_hotplug.c:78)
    by 0xBC900CA: chDomainAttachDeviceLiveAndUpdateConfig (ch_hotplug.c:174)

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---

diff --git a/src/ch/ch_process.c b/src/ch/ch_process.c
index a1f30f09e1..4ebb261805 100644
--- a/src/ch/ch_process.c
+++ b/src/ch/ch_process.c
@@ -637,6 +637,7 @@ chProcessAddNetworkDevice(virCHDriver *driver,
     g_auto(virBuffer) http_headers = VIR_BUFFER_INITIALIZER;
     g_autofree int *tapfds = NULL;
     g_autofree char *payload = NULL;
+    g_autofree char *netJSONPayload = NULL;
     g_autofree char *response = NULL;
     size_t tapfd_len;
     size_t payload_len;
@@ -685,15 +686,15 @@ chProcessAddNetworkDevice(virCHDriver *driver,
     }
 
     chAssignDeviceNetAlias(vmdef, net);
-    if (virCHMonitorBuildNetJson(net, &payload) < 0) {
+    if (virCHMonitorBuildNetJson(net, &netJSONPayload) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                         _("Failed to build net json"));
         return -1;
     }
 
     virBufferAsprintf(&buf, "%s", virBufferCurrentContent(&http_headers));
-    virBufferAsprintf(&buf, "Content-Length: %zu\r\n\r\n", strlen(payload));
-    virBufferAsprintf(&buf, "%s", payload);
+    virBufferAsprintf(&buf, "Content-Length: %zu\r\n\r\n", strlen(netJSONPayload));
+    virBufferAddStr(&buf, netJSONPayload);
     payload_len = virBufferUse(&buf);
     payload = virBufferContentAndReset(&buf);