[Qemu-devel] [PATCH] rbd: always set out parameter in qemu_rbd_snap

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] rbd: always set out parameter in qemu_rbd_snap_list
@ 2011-12-07  1:05 Josh Durgin
  2011-12-07 10:27 ` Kevin Wolf
  0 siblings, 1 reply; 2+ messages in thread
From: Josh Durgin @ 2011-12-07  1:05 UTC (permalink / raw)
  To: qemu-devel; +Cc: kwolf, ceph-devel, chb

The caller expects psn_tab to be NULL when there are no snapshots or
an error occurs. This results in calling g_free on an invalid address.

Reported-by: Oliver Francke <Oliver@filoo.de>
Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
---
 block/rbd.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/block/rbd.c b/block/rbd.c
index 9088c52..54a6961 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -793,55 +793,56 @@ static int qemu_rbd_snap_create(BlockDriverState *bs,
 static int qemu_rbd_snap_list(BlockDriverState *bs,
                               QEMUSnapshotInfo **psn_tab)
 {
     BDRVRBDState *s = bs->opaque;
     QEMUSnapshotInfo *sn_info, *sn_tab = NULL;
     int i, snap_count;
     rbd_snap_info_t *snaps;
     int max_snaps = RBD_MAX_SNAPS;
 
     do {
         snaps = g_malloc(sizeof(*snaps) * max_snaps);
         snap_count = rbd_snap_list(s->image, snaps, &max_snaps);
         if (snap_count < 0) {
             g_free(snaps);
         }
     } while (snap_count == -ERANGE);
 
     if (snap_count <= 0) {
-        return snap_count;
+        goto done;
     }
 
     sn_tab = g_malloc0(snap_count * sizeof(QEMUSnapshotInfo));
 
     for (i = 0; i < snap_count; i++) {
         const char *snap_name = snaps[i].name;
 
         sn_info = sn_tab + i;
         pstrcpy(sn_info->id_str, sizeof(sn_info->id_str), snap_name);
         pstrcpy(sn_info->name, sizeof(sn_info->name), snap_name);
 
         sn_info->vm_state_size = snaps[i].size;
         sn_info->date_sec = 0;
         sn_info->date_nsec = 0;
         sn_info->vm_clock_nsec = 0;
     }
     rbd_snap_list_end(snaps);
 
+ done:
     *psn_tab = sn_tab;
     return snap_count;
 }
 
 static QEMUOptionParameter qemu_rbd_create_options[] = {
     {
      .name = BLOCK_OPT_SIZE,
      .type = OPT_SIZE,
      .help = "Virtual disk size"
     },
     {
      .name = BLOCK_OPT_CLUSTER_SIZE,
      .type = OPT_SIZE,
      .help = "RBD object size"
     },
     {NULL}
 };
 
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] rbd: always set out parameter in qemu_rbd_snap_list
  2011-12-07  1:05 [Qemu-devel] [PATCH] rbd: always set out parameter in qemu_rbd_snap_list Josh Durgin
@ 2011-12-07 10:27 ` Kevin Wolf
  0 siblings, 0 replies; 2+ messages in thread
From: Kevin Wolf @ 2011-12-07 10:27 UTC (permalink / raw)
  To: Josh Durgin; +Cc: ceph-devel, qemu-devel, chb

Am 07.12.2011 02:05, schrieb Josh Durgin:
> The caller expects psn_tab to be NULL when there are no snapshots or
> an error occurs. This results in calling g_free on an invalid address.
> 
> Reported-by: Oliver Francke <Oliver@filoo.de>
> Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>

Thanks, applied to the block branch.

Kevin

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-12-07 10:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-07  1:05 [Qemu-devel] [PATCH] rbd: always set out parameter in qemu_rbd_snap_list Josh Durgin
2011-12-07 10:27 ` Kevin Wolf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).