debuggers.hg

changeset 22173:8caf87c7a017

libxl: don't leak gc pointers to caller's structs; prevent double free

libxl_build_device_model uses a pointer in a caller supplied data
structure to synthesize a vif-name if one is not supplied. This is bad
juju because the caller may want to free this pointer but by the time it
get's a chance the gc has already done so. Switch to using a local
variable for this pointer and avoid a double-free in the domain create
path.

Gianni Tedesco <gianni.tedesco@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Gianni Tedesco <gianni.tedesco@citrix.com>
date Fri Sep 10 18:49:00 2010 +0100 (2010-09-10)
parents d57c33873eed
children 5ad5ba05e3af
files tools/libxl/libxl.c
line diff
     1.1 --- a/tools/libxl/libxl.c	Fri Sep 10 18:47:53 2010 +0100
     1.2 +++ b/tools/libxl/libxl.c	Fri Sep 10 18:49:00 2010 +0100
     1.3 @@ -1190,14 +1190,17 @@ static char ** libxl_build_device_model_
     1.4                  char *smac = libxl__sprintf(gc, "%02x:%02x:%02x:%02x:%02x:%02x",
     1.5                                             vifs[i].mac[0], vifs[i].mac[1], vifs[i].mac[2],
     1.6                                             vifs[i].mac[3], vifs[i].mac[4], vifs[i].mac[5]);
     1.7 +                char *ifname;
     1.8                  if (!vifs[i].ifname)
     1.9 -                    vifs[i].ifname = libxl__sprintf(gc, "tap%d.%d", info->domid, vifs[i].devid);
    1.10 +                    ifname = libxl__sprintf(gc, "tap%d.%d", info->domid, vifs[i].devid);
    1.11 +                else
    1.12 +                    ifname = vifs[i].ifname;
    1.13                  flexarray_set(dm_args, num++, "-net");
    1.14                  flexarray_set(dm_args, num++, libxl__sprintf(gc, "nic,vlan=%d,macaddr=%s,model=%s",
    1.15                              vifs[i].devid, smac, vifs[i].model));
    1.16                  flexarray_set(dm_args, num++, "-net");
    1.17                  flexarray_set(dm_args, num++, libxl__sprintf(gc, "tap,vlan=%d,ifname=%s,bridge=%s,script=no",
    1.18 -                            vifs[i].devid, vifs[i].ifname, vifs[i].bridge));
    1.19 +                            vifs[i].devid, ifname, vifs[i].bridge));
    1.20                  ioemu_vifs++;
    1.21              }
    1.22          }