stream: avoid use-after-free

virFDStreamClose used a mutex after it was freed, and failed to destroy that mutex on its last use. * src/fdstream.c (virFDStreamFree): Inline into sole caller... (virFDStreamClose): ...to avoid use-after-free and leak. Reported by Matthias Bolte.

stream: avoid use-after-free
virFDStreamClose used a mutex after it was freed, and failed to destroy that mutex on its last use. * src/fdstream.c (virFDStreamFree): Inline into sole caller... (virFDStreamClose): ...to avoid use-after-free and leak. Reported by Matthias Bolte.
34b999be · Eric Blake · fbe3ab1a · 34b999be
显示空白变更内容
内联并排

Showing with 14 addition and 20 deletion

src/fdstream.c src/fdstream.c +14 -20

未找到文件。
--- a/src/fdstream.c
+++ b/src/fdstream.c
@@ -210,9 +210,20 @@ cleanup:
    return ret;
 }

-static int virFDStreamFree(struct virFDStreamData *fdst)
+
+static int
+virFDStreamClose(virStreamPtr st)
 {
+    struct virFDStreamData *fdst = st->privateData;
    int ret;
+
+    VIR_DEBUG("st=%p", st);
+
+    if (!fdst)
+        return 0;
+
+    virMutexLock(&fdst->lock);
+
    ret = VIR_CLOSE(fdst->fd);
    if (fdst->cmd) {
        char buf[1024];
@@ -243,29 +254,12 @@ static int virFDStreamFree(struct virFDStreamData *fdst)
        }
        virCommandFree(fdst->cmd);
    }
-    VIR_FREE(fdst);
-    return ret;
-}
-
-
-static int
-virFDStreamClose(virStreamPtr st)
-{
-    struct virFDStreamData *fdst = st->privateData;
-    int ret;
-
-    VIR_DEBUG("st=%p", st);
-
-    if (!fdst)
-        return 0;
-
-    virMutexLock(&fdst->lock);
-
-    ret = virFDStreamFree(fdst);

    st->privateData = NULL;

    virMutexUnlock(&fdst->lock);
+    virMutexDestroy(&fdst->lock);
+    VIR_FREE(fdst);

    return ret;
 }