From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36061)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zhanghy@sangfor.com>) id 1XFzJM-00076Y-EO
	for qemu-devel@nongnu.org; Sat, 09 Aug 2014 01:35:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <zhanghy@sangfor.com>) id 1XFzJE-0001Fs-9P
	for qemu-devel@nongnu.org; Sat, 09 Aug 2014 01:35:24 -0400
Received: from [58.251.49.30] (port=58641 helo=mail.sangfor.com)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zhanghy@sangfor.com>) id 1XFzJC-0001FB-VX
	for qemu-devel@nongnu.org; Sat, 09 Aug 2014 01:35:16 -0400
Received: from localhost (mail.sangfor.com [127.0.0.1])
	by mail.sangfor.com (Postfix) with ESMTP id 6B55017C008F
	for <qemu-devel@nongnu.org>; Sat,  9 Aug 2014 13:23:59 +0800 (CST)
Received: from mail.sangfor.com ([127.0.0.1])
	by localhost (mail.sangfor.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JDBhSLC1DQOg for <qemu-devel@nongnu.org>;
	Sat,  9 Aug 2014 13:23:58 +0800 (CST)
Received: from vv-PC (unknown [10.10.6.254])
	by mail.sangfor.com (Postfix) with ESMTPA id CCEBA17C008B
	for <qemu-devel@nongnu.org>; Sat,  9 Aug 2014 13:23:58 +0800 (CST)
Date: Sat, 9 Aug 2014 13:33:20 +0800
From: "Zhang Haoyu" <zhanghy@sangfor.com>
Message-ID: <201408091333190205168@sangfor.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] [patch] qcow2: double free snapshots
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel <qemu-devel@nongnu.org>

In qcow2_open(), if qcow2_read_snapshots() failed, qcow2_open() -> qcow2_free_snapshots() will be called, NULL snapshots dereference happened.
because qcow2_free_snapshots has been performed before in the fail case of qcow2_read_snapshots().
shown as below callstack,
qcow2_open
|- qcow2_read_snapshots
|-- goto fail;
|-- qcow2_free_snapshots
|- goto fail;
|- qcow2_free_snapshots  /* on this case, NULL snapshots dereference happened.  */

Signed-off-by: Zhang Haoyu <zhanghy@sangfor.com>
---
 block/qcow2-snapshot.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 0aa9def..15c0513 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -31,6 +31,10 @@ void qcow2_free_snapshots(BlockDriverState *bs)
     BDRVQcowState *s = bs->opaque;
     int i;
 
+    if (!s || !s->snapshots) {
+        return;
+    }
+
     for(i = 0; i < s->nb_snapshots; i++) {
         g_free(s->snapshots[i].name);
         g_free(s->snapshots[i].id_str);
-- 
1.9.4.msysgit.0