From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 8 Sep 2022 14:31:58 +0000 (+0200)
Subject: virConnectOpenInternal: Avoid double free() when alias is an invalid URI
X-Git-Tag: v8.8.0-rc1~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48e1b49353a5700427288185ca12c301ef2cfa3a;p=thirdparty%2Flibvirt.git

virConnectOpenInternal: Avoid double free() when alias is an invalid URI

Configuring an URI alias such as

  uri_aliases = [
      "blah=qemu://invaliduri@@@",
  ]

Results in a double free when the alias is used:

  $ virsh -c blah
  free(): double free detected in tcache 2
  Aborted (core dumped)

This happens as the 'alias' variable is first assigned to 'uristr' which
is cleared in the 'failed' label and then is explicitly freed again.

Fix this by stealing the alias into 'uristr' and removing the
unnecessary freeing.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---

diff --git a/src/libvirt.c b/src/libvirt.c
index b78b49a632..19379a2a53 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -940,14 +940,12 @@ virConnectOpenInternal(const char *name,
             goto failed;
 
         if (alias) {
-            VIR_FREE(uristr);
-            uristr = alias;
+            g_free(uristr);
+            uristr = g_steal_pointer(&alias);
         }
 
-        if (!(ret->uri = virURIParse(uristr))) {
-            VIR_FREE(alias);
+        if (!(ret->uri = virURIParse(uristr)))
             goto failed;
-        }
 
         /* Avoid need for drivers to worry about NULLs, as
          * no one needs to distinguish "" vs NULL */