From: Jim Meyering <meyering@redhat.com>
Date: Mon, 14 Dec 2009 16:17:53 +0000 (+0100)
Subject: libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
X-Git-Tag: v0.7.5~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d37bca86d0224052cb22d318fb7a4388909fc5e0;p=thirdparty%2Flibvirt.git

libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref

* src/libvirt.c (virDomainGetVcpus): Describe new, stronger
requirement on "maplen"s relationship to "cpumaps".
---

diff --git a/src/libvirt.c b/src/libvirt.c
index 008e322887..103b3312dd 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4753,6 +4753,7 @@ error:
  *      virDomainPinVcpu() API.
  * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in
  *	underlying virtualization system (Xen...).
+ *	Must be zero when cpumaps is NULL and positive when it is non-NULL.
  *
  * Extract information about virtual CPUs of domain, store it in info array
  * and also in cpumaps if this pointer isn't NULL.
@@ -4776,7 +4777,11 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,
         virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }
-    if (cpumaps != NULL && maplen < 1) {
+
+    /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
+       try to memcpy anything into a NULL pointer.  */
+    if ((cpumaps == NULL && maplen != 0)
+        || (cpumaps && maplen <= 0)) {
         virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }