From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:41052)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RXsmd-0002XD-6D
	for qemu-devel@nongnu.org; Tue, 06 Dec 2011 06:02:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RXsmT-0005LJ-BQ
	for qemu-devel@nongnu.org; Tue, 06 Dec 2011 06:01:59 -0500
Received: from mail-qy0-f173.google.com ([209.85.216.173]:38957)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RXsmT-0005LD-9H
	for qemu-devel@nongnu.org; Tue, 06 Dec 2011 06:01:49 -0500
Received: by qcsd15 with SMTP id d15so2774670qcs.4
	for <qemu-devel@nongnu.org>; Tue, 06 Dec 2011 03:01:48 -0800 (PST)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue,  6 Dec 2011 12:01:22 +0100
Message-Id: <1323169292-21661-2-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1323169292-21661-1-git-send-email-pbonzini@redhat.com>
References: <1323169292-21661-1-git-send-email-pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH 01/11] qiov: prevent double free or
	use-after-free
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: stefanha@linux.vnet.ibm.com

qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again.  This can be observed with
virtio-scsi, because canceling DMA requests can happen more easily with
SCSI (due to task management functions) than with other backends.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 cutils.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/cutils.c b/cutils.c
index 6db6304..24b3fe3 100644
--- a/cutils.c
+++ b/cutils.c
@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
 {
     assert(qiov->nalloc != -1);
 
+    qemu_iovec_reset(qiov);
     g_free(qiov->iov);
+    qiov->nalloc = 0;
+    qiov->iov = NULL;
 }
 
 void qemu_iovec_reset(QEMUIOVector *qiov)
-- 
1.7.7.1