Fix memory leaks in libvirtd's message processing

Commit 47cab734 changed the way how qemud_client_message objects were reused. Before this commit remoteDispatchClientRequest() reused the received message for normal responses and to report non-fatal errors. If a fatal error occurred qemudWorker() frees the message. After this commit non-fatal errors are reported by remoteSerializeReplyError() using a new qemud_client_message object and the original message leaks. To fix this leak the original message has to be freed if remoteSerializeReplyError() succeeds. If remoteSerializeReplyError() fails the original message is freed in qemudWorker(). * daemon/dispatch.c: free qemud_client_message objects that will not be reused and would leak otherwise, also free the allocated qemud_client_message object in remoteSerializeError() if an error occurs

Fix memory leaks in libvirtd's message processing
Commit 47cab734 changed the way how qemud_client_message objects were reused. Before this commit remoteDispatchClientRequest() reused the received message for normal responses and to report non-fatal errors. If a fatal error occurred qemudWorker() frees the message. After this commit non-fatal errors are reported by remoteSerializeReplyError() using a new qemud_client_message object and the original message leaks. To fix this leak the original message has to be freed if remoteSerializeReplyError() succeeds. If remoteSerializeReplyError() fails the original message is freed in qemudWorker(). * daemon/dispatch.c: free qemud_client_message objects that will not be reused and would leak otherwise, also free the allocated qemud_client_message object in remoteSerializeError() if an error occurs
c6f1459e · Matthias Bolte · 727cda9d · c6f1459e
隐藏空白更改
内联并排

Showing with 13 addition and 2 deletion

daemon/dispatch.c daemon/dispatch.c +13 -2

未找到文件。
--- a/daemon/dispatch.c
+++ b/daemon/dispatch.c
@@ -195,6 +195,7 @@ remoteSerializeError(struct qemud_client *client,

 xdr_error:
    xdr_destroy(&xdr);
+    VIR_FREE(msg);
 fatal_error:
    xdr_free((xdrproc_t)xdr_remote_error,  (char *)rerr);
    return -1;
@@ -359,6 +360,7 @@ remoteDispatchClientRequest (struct qemud_server *server,
                             struct qemud_client *client,
                             struct qemud_client_message *msg)
 {
+    int ret;
    remote_error rerr;

    DEBUG("prog=%d ver=%d type=%d satus=%d serial=%d proc=%d",
@@ -404,7 +406,12 @@ remoteDispatchClientRequest (struct qemud_server *server,
    return 0;

 error:
-    return remoteSerializeReplyError(client, &rerr, &msg->hdr);
+    ret = remoteSerializeReplyError(client, &rerr, &msg->hdr);
+
+    if (ret >= 0)
+        VIR_FREE(msg);
+
+    return ret;
 }


@@ -561,8 +568,12 @@ remoteDispatchClientCall (struct qemud_server *server,
 rpc_error:
    /* Semi-bad stuff happened, we can still try to send back
     * an RPC error message to client */
-    return remoteSerializeReplyError(client, &rerr, &msg->hdr);
+    rv = remoteSerializeReplyError(client, &rerr, &msg->hdr);
+
+    if (rv >= 0)
+        VIR_FREE(msg);

+    return rv;

 xdr_error:
    /* Seriously bad stuff happened, so we'll kill off this client