conf: fix use after free in virChrdevOpen

Don't free the stream on error if we've successfully added it to the hash table, since it will be freed by virChrdevHashEntryFree callback. Preserve the error message before calling virStreamFree, since it resets the error. Introduced by 47161382, crashing since 69218922. Reported by Sergey Fionov on libvir-list. (cherry picked from commit a32b4174)

conf: fix use after free in virChrdevOpen
Don't free the stream on error if we've successfully added it to the hash table, since it will be freed by virChrdevHashEntryFree callback. Preserve the error message before calling virStreamFree, since it resets the error. Introduced by 47161382, crashing since 69218922. Reported by Sergey Fionov on libvir-list. (cherry picked from commit a32b4174)
a06bf7b2 · Ján Tomko · 067e9988 · a06bf7b2
隐藏空白更改
内联并排

Showing with 13 addition and 2 deletion

src/conf/virchrdev.c src/conf/virchrdev.c +13 -2

未找到文件。
--- a/src/conf/virchrdev.c
+++ b/src/conf/virchrdev.c
@@ -342,6 +342,8 @@ int virChrdevOpen(virChrdevsPtr devs,
    virStreamPtr savedStream;
    const char *path;
    int ret;
+    bool added = false;
+    virErrorPtr savedError;

    switch (source->type) {
    case VIR_DOMAIN_CHR_TYPE_PTY:
@@ -398,6 +400,7 @@ int virChrdevOpen(virChrdevsPtr devs,

    if (virHashAddEntry(devs->hash, path, st) < 0)
        goto error;
+    added = true;

    cbdata->devs = devs;
    if (!(cbdata->path = strdup(path))) {
@@ -432,8 +435,16 @@ int virChrdevOpen(virChrdevsPtr devs,
    return 0;

 error:
-    virStreamFree(st);
-    virHashRemoveEntry(devs->hash, path);
+    savedError = virSaveLastError();
+
+    if (added)
+        virHashRemoveEntry(devs->hash, path);
+    else
+        virStreamFree(st);
+
+    virSetError(savedError);
+    virFreeError(savedError);
+
    if (cbdata)
        VIR_FREE(cbdata->path);
    VIR_FREE(cbdata);