提交 fb58f8e2 编写于 作者: P Peter Krempa

qemu: Don't corrupt pointer in qemuDomainSaveMemory()

The code that was split out into the qemuDomainSaveMemory expands the
pointer containing the XML description of the domain that it gets from
higher layers. If the pointer changes the old one is invalid and the
upper layer function tries to free it causing an abort.

This patch changes the expansion of the original string to a new
allocation and copy of the contents.
上级 9c294e6f
...@@ -2768,7 +2768,7 @@ static int ...@@ -2768,7 +2768,7 @@ static int
qemuDomainSaveMemory(struct qemud_driver *driver, qemuDomainSaveMemory(struct qemud_driver *driver,
virDomainObjPtr vm, virDomainObjPtr vm,
const char *path, const char *path,
const char *xml, const char *domXML,
int compressed, int compressed,
bool was_running, bool was_running,
unsigned int flags, unsigned int flags,
...@@ -2785,6 +2785,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver, ...@@ -2785,6 +2785,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
unsigned long long pad; unsigned long long pad;
unsigned long long offset; unsigned long long offset;
size_t len; size_t len;
char *xml = NULL;
memset(&header, 0, sizeof(header)); memset(&header, 0, sizeof(header));
memcpy(header.magic, QEMUD_SAVE_PARTIAL, sizeof(header.magic)); memcpy(header.magic, QEMUD_SAVE_PARTIAL, sizeof(header.magic));
...@@ -2793,7 +2794,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver, ...@@ -2793,7 +2794,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
header.compressed = compressed; header.compressed = compressed;
len = strlen(xml) + 1; len = strlen(domXML) + 1;
offset = sizeof(header) + len; offset = sizeof(header) + len;
/* Due to way we append QEMU state on our header with dd, /* Due to way we append QEMU state on our header with dd,
...@@ -2807,10 +2808,12 @@ qemuDomainSaveMemory(struct qemud_driver *driver, ...@@ -2807,10 +2808,12 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
pad = 1024; pad = 1024;
pad += (QEMU_MONITOR_MIGRATE_TO_FILE_BS - pad += (QEMU_MONITOR_MIGRATE_TO_FILE_BS -
((offset + pad) % QEMU_MONITOR_MIGRATE_TO_FILE_BS)); ((offset + pad) % QEMU_MONITOR_MIGRATE_TO_FILE_BS));
if (VIR_EXPAND_N(xml, len, pad) < 0) { if (VIR_ALLOC_N(xml, len + pad) < 0) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
strcpy(xml, domXML);
offset += pad; offset += pad;
header.xml_len = len; header.xml_len = len;
...@@ -2878,6 +2881,7 @@ cleanup: ...@@ -2878,6 +2881,7 @@ cleanup:
VIR_FORCE_CLOSE(fd); VIR_FORCE_CLOSE(fd);
virFileWrapperFdCatchError(wrapperFd); virFileWrapperFdCatchError(wrapperFd);
virFileWrapperFdFree(wrapperFd); virFileWrapperFdFree(wrapperFd);
VIR_FREE(xml);
if (ret != 0 && needUnlink) if (ret != 0 && needUnlink)
unlink(path); unlink(path);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册