From: Daniel P. Berrange Date: Tue, 24 Sep 2013 15:34:06 +0000 (+0100) Subject: Fix leak in qemuStringToArgvEnv upon OOM X-Git-Tag: v1.1.3-rc1~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b391b19144e5daa3ce68d45468b05eb936d9b244;p=thirdparty%2Flibvirt.git Fix leak in qemuStringToArgvEnv upon OOM The 'qemuStringToArgvEnv' method splits up a string of command line env/args to an 'arglist' array. It then copies env vars to a 'progenv' array and args to a 'progargv' array. When copyin the env vars, it NULL-ifies the element in 'arglist' that is copied. Upon OOM the 'virStringListFree' is called on progenv and arglist. Unfortunately, because the elements in 'arglist' related to env vars have been set to NULL, the call to virStringListFree(arglist) doesn't free anything, even though some non-NULL args vars still exist later in the array. To fix this leak, stop NULL-ifying the 'arglist' elements, and change the cleanup code to only free elements in the 'arglist' array, not 'progenv'. Signed-off-by: Daniel P. Berrange --- diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 992714baf7..4b4f9c92b0 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9819,10 +9819,8 @@ static int qemuStringToArgvEnv(const char *args, if (envend > 0) { if (VIR_REALLOC_N(progenv, envend+1) < 0) goto error; - for (i = 0; i < envend; i++) { + for (i = 0; i < envend; i++) progenv[i] = arglist[i]; - arglist[i] = NULL; - } progenv[i] = NULL; } @@ -9841,7 +9839,8 @@ static int qemuStringToArgvEnv(const char *args, return 0; error: - virStringFreeList(progenv); + VIR_FREE(progenv); + VIR_FREE(progargv); virStringFreeList(arglist); return -1; }