[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v3 2/5] 9p: xattr: Fix crashes due to free of uninit
From: |
Keno Fischer |
Subject: |
[Qemu-devel] [PATCH v3 2/5] 9p: xattr: Fix crashes due to free of uninitialized value |
Date: |
Sat, 2 Jun 2018 17:29:36 -0400 |
If the size returned from llistxattr/lgetxattr is 0, we skipped
the malloc call, leaving xattr.value uninitialized. However, this
value is later passed to `g_free` without any further checks,
causing an error. Fix that by always calling g_malloc unconditionally.
If `size` is 0, it will return NULL, which is safe to pass to g_free.
Signed-off-by: Keno Fischer <address@hidden>
---
Changes since v2:
* Fix another instance of the problematic pattern later in the same function.
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index d74302d..4386d69 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3256,8 +3256,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fs.xattr.len = size;
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
@@ -3289,8 +3289,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fs.xattr.len = size;
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
--
2.8.1
- [Qemu-devel] [PATCH v3 0/5] Prepratory cleanup for 9p darwin support, Keno Fischer, 2018/06/02
- [Qemu-devel] [PATCH v3 3/5] 9p: local: Avoid warning if FS_IOC_GETVERSION is not defined, Keno Fischer, 2018/06/02
- [Qemu-devel] [PATCH v3 2/5] 9p: xattr: Fix crashes due to free of uninitialized value,
Keno Fischer <=
- [Qemu-devel] [PATCH v3 1/5] cutils: Provide strchrnul, Keno Fischer, 2018/06/02
- [Qemu-devel] [PATCH v3 4/5] 9p: Properly check/translate flags in unlinkat, Keno Fischer, 2018/06/02
- [Qemu-devel] [PATCH v3 5/5] 9p: xattr: Properly translate xattrcreate flags, Keno Fischer, 2018/06/02
- Re: [Qemu-devel] [PATCH v3 0/5] Prepratory cleanup for 9p darwin support, Greg Kurz, 2018/06/05