From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 22 Mar 2017 12:07:14 +0000 (+0100)
Subject: network: Don't crash on domain destroy
X-Git-Tag: v3.2.0-rc2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fe93123bfb6e3bc373b3cc70c60522235c9c931;p=thirdparty%2Flibvirt.git

network: Don't crash on domain destroy

https://bugzilla.redhat.com/show_bug.cgi?id=1434882

Imagine the following scenario:

1) virsh net-start default
2) virsh start myFavouriteDomain
3) virsh net-destroy default
4) virsh destroy myFavouriteDomain

(assuming myFavouriteDomain has an interface from default
network)

Regardless of how unlikely this scenario looks like, we should
not crash. The problem is, on net-destroy in
networkShutdownNetworkVirtual() the virMacMap module is unrefed,
but the stale pointer is kept around. Thus when the domain
destroy procedure comes in, networkReleaseActualDevice() and
subsequently networkMacMgrDel() is called. This function sees the
stale pointer and starts calling the virMacMap module APIs which
work over freed memory.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 3270dc5007..ef982363b4 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2490,7 +2490,8 @@ networkShutdownNetworkVirtual(virNetworkDriverStatePtr driver,
     if (network->def->bandwidth)
         virNetDevBandwidthClear(network->def->bridge);
 
-    virObjectUnref(network->macmap);
+    if (!virObjectUnref(network->macmap))
+        network->macmap = NULL;
 
     if (network->radvdPid > 0) {
         char *radvdpidbase;