From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Wed, 19 Mar 2014 17:38:44 +0000 (-0400)
Subject: nwfilter: Fix double free of pointer
X-Git-Tag: v1.2.3-rc1~150
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=963dcf905c5ee0358d6b0b74b124ff340cbbbd2b;p=thirdparty%2Flibvirt.git

nwfilter: Fix double free of pointer

https://bugzilla.redhat.com/show_bug.cgi?id=1071181

Commit 49b59a15 fixed one problem but masks another one related to pointer
freeing.

Avoid putting of the virNWFilterSnoopReq once the thread has been started.
It belongs to the thread and the thread will call virNWFilterSnoopReqPut() on it.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---

diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
index d2a806211c..340760471c 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
@@ -1605,6 +1605,7 @@ virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
     int tmp;
     virThread thread;
     virNWFilterVarValuePtr dhcpsrvrs;
+    bool threadPuts = false;
 
     virNWFilterSnoopIFKeyFMT(ifkey, vmuuid, macaddr);
 
@@ -1698,6 +1699,8 @@ virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
         goto exit_snoopreq_unlock;
     }
 
+    threadPuts = true;
+
     virAtomicIntInc(&virNWFilterSnoopState.nThreads);
 
     req->threadkey = virNWFilterSnoopActivate(req);
@@ -1737,7 +1740,8 @@ exit_rem_ifnametokey:
 exit_snoopunlock:
     virNWFilterSnoopUnlock();
 exit_snoopreqput:
-    virNWFilterSnoopReqPut(req);
+    if (!threadPuts)
+        virNWFilterSnoopReqPut(req);
 
     return -1;
 }