From mboxrd@z Thu Jan  1 00:00:00 1970
From: anthony.perard@citrix.com
Subject: [PATCH 1/5] libxl: fix double free of ifname,
	when makes args for qemu.
Date: Thu,  9 Dec 2010 19:42:53 +0000
Message-ID: <1291923777-8712-2-git-send-email-anthony.perard@citrix.com>
References: <1291923777-8712-1-git-send-email-anthony.perard@citrix.com>
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <1291923777-8712-1-git-send-email-anthony.perard@citrix.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Xen Devel <xen-devel@lists.xensource.com>
Cc: anthony.perard@citrix.com
List-Id: xen-devel@lists.xenproject.org

From: Anthony PERARD <anthony.perard@citrix.com>

In libxl_build_device_model_args_new, vifs[i].ifname can be free two
times, by the gc, and by freeing the vifs structures. This patch avoids
this.
---
 tools/libxl/libxl.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 33e5a2a..0feb93f 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1341,14 +1341,18 @@ static char ** libxl_build_device_model_args_new(libxl__gc *gc,
                 char *smac = libxl__sprintf(gc, "%02x:%02x:%02x:%02x:%02x:%02x",
                                            vifs[i].mac[0], vifs[i].mac[1], vifs[i].mac[2],
                                            vifs[i].mac[3], vifs[i].mac[4], vifs[i].mac[5]);
-                if (!vifs[i].ifname)
-                    vifs[i].ifname = libxl__sprintf(gc, "tap%d.%d", info->domid, vifs[i].devid);
+                char *ifname;
+                if (!vifs[i].ifname) {
+                    ifname = libxl__sprintf(gc, "tap%d.%d", info->domid, vifs[i].devid);
+                } else {
+                    ifname = vifs[i].ifname;
+                }
                 flexarray_set(dm_args, num++, "-net");
                 flexarray_set(dm_args, num++, libxl__sprintf(gc, "nic,vlan=%d,macaddr=%s,model=%s",
                             vifs[i].devid, smac, vifs[i].model));
                 flexarray_set(dm_args, num++, "-net");
                 flexarray_set(dm_args, num++, libxl__sprintf(gc, "tap,vlan=%d,ifname=%s,script=no",
-                            vifs[i].devid, vifs[i].ifname));
+                            vifs[i].devid, ifname));
                 ioemu_vifs++;
             }
         }
-- 
1.7.1