From 4a4cff58eff28d5fe7501d9e9a8de8020e5481b6 Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Wed, 3 Dec 2014 18:50:16 +0100
Subject: [PATCH] cpu: fix possible crash in getModels

Commit 86a15a25 introduced a new cpu driver API 'getModels'. Public API
allow you to pass NULL for models to get only number of existing models.
However the new code will crash with segfault so we have to count with
the possibility that the user wants only the number.

There is also difference in order of the models gathered by this new API
as the old approach was inserting the elements to the end of the array
so we should use 'VIR_APPEND_ELEMENT'.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 src/cpu/cpu_powerpc.c | 17 ++++++++++++-----
 src/cpu/cpu_x86.c     | 17 ++++++++++++-----
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/src/cpu/cpu_powerpc.c b/src/cpu/cpu_powerpc.c
index 871401b017..1cd6874c05 100644
--- a/src/cpu/cpu_powerpc.c
+++ b/src/cpu/cpu_powerpc.c
@@ -666,11 +666,15 @@ ppcGetModels(char ***models)
 
     model = map->models;
     while (model != NULL) {
-        if (VIR_STRDUP(name, model->name) < 0)
-            goto error;
+        if (models) {
+            if (VIR_STRDUP(name, model->name) < 0)
+                goto error;
 
-        if (VIR_INSERT_ELEMENT(*models, 0, nmodels, name) < 0)
-            goto error;
+            if (VIR_APPEND_ELEMENT(*models, nmodels, name) < 0)
+                goto error;
+        } else {
+            nmodels++;
+        }
 
         model = model->next;
     }
@@ -681,7 +685,10 @@ ppcGetModels(char ***models)
     return nmodels;
 
  error:
-    virStringFreeList(*models);
+    if (models) {
+        virStringFreeList(*models);
+        *models = NULL;
+    }
     nmodels = -1;
     goto cleanup;
 }
diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
index f6dcba41d0..45be262307 100644
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@@ -2176,11 +2176,15 @@ x86GetModels(char ***models)
 
     model = map->models;
     while (model != NULL) {
-        if (VIR_STRDUP(name, model->name) < 0)
-            goto error;
+        if (models) {
+            if (VIR_STRDUP(name, model->name) < 0)
+                goto error;
 
-        if (VIR_INSERT_ELEMENT(*models, 0, nmodels, name) < 0)
-            goto error;
+            if (VIR_APPEND_ELEMENT(*models, nmodels, name) < 0)
+                goto error;
+        } else {
+            nmodels++;
+        }
 
         model = model->next;
     }
@@ -2188,7 +2192,10 @@ x86GetModels(char ***models)
     return nmodels;
 
  error:
-    virStringFreeList(*models);
+    if (models) {
+        virStringFreeList(*models);
+        *models = NULL;
+    }
     return -1;
 }
 
-- 
GitLab