From: Daniel P. Berrangé <berrange@redhat.com>
Date: Thu, 22 Dec 2022 17:17:15 +0000 (-0500)
Subject: remote: fix double free of migration params on error
X-Git-Tag: v9.0.0-rc2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b5f9251129d61cfc6cffa63d367af27850602a4;p=thirdparty%2Flibvirt.git

remote: fix double free of migration params on error

The remote_*_args methods will generally borrow pointers
passed in the caller, so should not be freed.

On failure of the virTypedParamsSerialize method, however,
xdr_free was being called. This is presumably because it
was thought that the params may have been partially
serialized and need cleaning up. This is incorrect, as
virTypedParamsSerialize takes care to cleanup partially
serialized data. This xdr_free call would lead to free'ing
the borrowed cookie pointers, which would be a double free.

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 957635617d..43a714c79a 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -6919,8 +6919,6 @@ remoteDomainMigrateBegin3Params(virDomainPtr domain,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_begin3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -6981,8 +6979,6 @@ remoteDomainMigratePrepare3Params(virConnectPtr dconn,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7063,8 +7059,6 @@ remoteDomainMigratePrepareTunnel3Params(virConnectPtr dconn,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare_tunnel3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7149,8 +7143,6 @@ remoteDomainMigratePerform3Params(virDomainPtr dom,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_perform3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7216,8 +7208,6 @@ remoteDomainMigrateFinish3Params(virConnectPtr dconn,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_finish3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7284,8 +7274,6 @@ remoteDomainMigrateConfirm3Params(virDomainPtr domain,
                                 (struct _virTypedParameterRemote **) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_confirm3_params_args,
-                 (char *) &args);
         goto cleanup;
     }