shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-08-24 09:49:59 +03:00
Code Releases Activity

virLockSpaceNewPostExecRestart: Fix out-of-bounds array access

Browse Source 
'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
'res->nOwners' doesn't contain the proper value until after the
allocation so 0 elements are allocated. The following loop which assumes
that the array has the right number of elements then accesses the
pointer out of bounds. The bug was also faithfully converted from
VIR_ALLOC_N to g_new0.

Fixes: 4a3d6ed5ee
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Peter Krempa
2021-03-12 10:16:11 +01:00
parent 6b8e961399
commit eab7ae6bfe
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/util/virlockspace.c
View File

@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONValuePtr object)
const char *tmp; const char *tmp;
virJSONValuePtr owners; virJSONValuePtr owners;
size_t j; size_t j;
size_t m;
res = g_new0(virLockSpaceResource, 1); res = g_new0(virLockSpaceResource, 1);
res->fd = -1; res->fd = -1;
@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONValuePtr object)
goto error; goto error;
} }
m = virJSONValueArraySize(owners); res->nOwners = virJSONValueArraySize(owners);
res->owners = g_new0(pid_t, res->nOwners); res->owners = g_new0(pid_t, res->nOwners);
res->nOwners = m;
for (j = 0; j < res->nOwners; j++) { for (j = 0; j < res->nOwners; j++) {
unsigned long long int owner; unsigned long long int owner;