From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Anthony Liguori <aliguori@us.ibm.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PATCH 06/11] rbd: Fix use after free in rbd_open()
Date: Fri, 26 Apr 2013 13:44:32 +0200 [thread overview]
Message-ID: <1366976682-10251-13-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1366976682-10251-1-git-send-email-stefanha@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Commit a9ccedc3 frees the QemuOpts for the driver-specific options
immediately, even though it still needs the filename string that is
contained there. This doesn't work. Move the deletion of the QemuOpts to
the end of the function where its content isn't needed any more.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
block/rbd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/block/rbd.c b/block/rbd.c
index 1826411..0f2608b 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -478,20 +478,20 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags)
}
filename = qemu_opt_get(opts, "filename");
- qemu_opts_del(opts);
if (qemu_rbd_parsename(filename, pool, sizeof(pool),
snap_buf, sizeof(snap_buf),
s->name, sizeof(s->name),
conf, sizeof(conf)) < 0) {
- return -EINVAL;
+ r = -EINVAL;
+ goto failed_opts;
}
clientname = qemu_rbd_parse_clientname(conf, clientname_buf);
r = rados_create(&s->cluster, clientname);
if (r < 0) {
error_report("error initializing");
- return r;
+ goto failed_opts;
}
s->snap = NULL;
@@ -557,6 +557,7 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags)
NULL, qemu_rbd_aio_flush_cb, s);
+ qemu_opts_del(opts);
return 0;
failed:
@@ -566,6 +567,8 @@ failed_open:
failed_shutdown:
rados_shutdown(s->cluster);
g_free(s->snap);
+failed_opts:
+ qemu_opts_del(opts);
return r;
}
--
1.8.1.4
next prev parent reply other threads:[~2013-04-26 11:45 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-26 11:44 [Qemu-devel] [PULL 00/11] Block patches Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 01/11] block: Introduce bdrv_writev_vmstate Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 01/11] block/ssh: Require libssh2 >= 1.2.8 Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 02/11] savevm: Implement block_writev_buffer() Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 02/11] sheepdog: add discard/trim support for sheepdog Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 03/11] block: Introduce bdrv_pwritev() for qcow2_save_vmstate Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 03/11] sheepdog: use BDRV_SECTOR_SIZE Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 04/11] qemu-iotests: A few more bdrv_pread/pwrite tests Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 04/11] sheepdog: implement .bdrv_co_is_allocated() Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 05/11] block: Disable driver-specific options for 1.5 Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 05/11] qemu-iotests: Add test for -drive options Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 06/11] qemu-iotests: filter QEMU_PROG in 051.out Stefan Hajnoczi
2013-04-26 11:44 ` Stefan Hajnoczi [this message]
2013-04-26 11:44 ` [Qemu-devel] [PATCH 07/11] ide: refuse WIN_READ_NATIVE_MAX on empty device Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 07/11] sheepdog: cleanup find_vdi_name Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 08/11] block: Add support for Secure Shell (ssh) block device Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 08/11] sheepdog: add SD_RES_READONLY result code Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 09/11] block: ssh: Use libssh2_sftp_fsync (if supported by libssh2) to flush to disk Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 09/11] sheepdog: add helper function to reload inode Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 10/11] iotests: Add 'check -ssh' option to test Secure Shell block device Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 10/11] sheepdog: resend write requests when SD_RES_READONLY is received Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 11/11] rbd: add an asynchronous flush Stefan Hajnoczi
2013-04-26 11:44 ` [Qemu-devel] [PATCH 11/11] sheepdog: fix loadvm operation Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1366976682-10251-13-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).