From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 17 Mar 2017 07:43:27 +0000 (+0100)
Subject: qemu: Don't steal pointers from 'persistentDef' in qemuDomainGetBlockIoTune
X-Git-Tag: v3.2.0-rc1~225
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b57f765027c6e157a41a7445ec23359655be272;p=thirdparty%2Flibvirt.git

qemu: Don't steal pointers from 'persistentDef' in qemuDomainGetBlockIoTune

While the code path that queries the monitor allocates a separate copy
of the 'group_name' string the path querying the config would not copy
it. The call to virTypedParameterAssign would then steal the pointer
(without clearing it) and the RPC layer freed it. Any subsequent call
resulted into a crash.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1433183
---

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 2032fac71d..dcd823f53c 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -17707,6 +17707,11 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
             goto endjob;
         }
         reply = disk->blkdeviotune;
+
+        /* Group name needs to be copied since qemuMonitorGetBlockIoThrottle
+         * allocates it as well */
+        if (VIR_STRDUP(reply.group_name, disk->blkdeviotune.group_name))
+            goto endjob;
     }
 
 #define BLOCK_IOTUNE_ASSIGN(name, var)                                         \
@@ -17736,13 +17741,15 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
 
     BLOCK_IOTUNE_ASSIGN(SIZE_IOPS_SEC, size_iops_sec);
 
-    /* NB: Cannot use macro since this is a STRING not a ULLONG */
-    if (*nparams < maxparams &&
-        virTypedParameterAssign(&params[(*nparams)++],
-                                VIR_DOMAIN_BLOCK_IOTUNE_GROUP_NAME,
-                                VIR_TYPED_PARAM_STRING,
-                                reply.group_name) < 0)
-        goto endjob;
+    if (*nparams < maxparams) {
+        if (virTypedParameterAssign(&params[(*nparams)++],
+                                    VIR_DOMAIN_BLOCK_IOTUNE_GROUP_NAME,
+                                    VIR_TYPED_PARAM_STRING,
+                                    reply.group_name) < 0)
+            goto endjob;
+
+        reply.group_name = NULL;
+    }
 
     BLOCK_IOTUNE_ASSIGN(TOTAL_BYTES_SEC_MAX_LENGTH, total_bytes_sec_max_length);
     BLOCK_IOTUNE_ASSIGN(READ_BYTES_SEC_MAX_LENGTH, read_bytes_sec_max_length);
@@ -17759,6 +17766,7 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
     qemuDomainObjEndJob(driver, vm);
 
  cleanup:
+    VIR_FREE(reply.group_name);
     VIR_FREE(device);
     virDomainObjEndAPI(&vm);
     return ret;