From c03fef652341b4ee8969b2a0229e2ef9046a9cee Mon Sep 17 00:00:00 2001 Message-Id: From: Peter Krempa Date: Mon, 16 Mar 2020 22:11:35 +0100 Subject: [PATCH] qemuDomainGetGuestInfo: Don't try to free a negative number of entries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'nfs' variable was set to -1 or -2 on agent failure. Cleanup then tried to free 'nfs' elements of the array which resulted into a crash. Make 'nfs' size_t and assign it only on successful agent call. https://bugzilla.redhat.com/show_bug.cgi?id=1812965 Broken by commit 599ae372d8cf092 Signed-off-by: Peter Krempa Reviewed-by: Ján Tomko (cherry picked from commit 0fdb7385e416c9a0830dc60c0a56d55428963d74) https://bugzilla.redhat.com/show_bug.cgi?id=1812965 Message-Id: <6eb97463bb380d32591ef82336095bf1ef370bca.1584391726.git.pkrempa@redhat.com> Reviewed-by: Ján Tomko --- src/qemu/qemu_agent.c | 2 +- src/qemu/qemu_driver.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c index ef2d2c500b..f13126aeee 100644 --- a/src/qemu/qemu_agent.c +++ b/src/qemu/qemu_agent.c @@ -1954,7 +1954,7 @@ qemuAgentGetFSInfoFillDisks(virJSONValuePtr jsondisks, return 0; } -/* Returns: 0 on success +/* Returns: number of entries in '@info' on success * -2 when agent command is not supported by the agent * -1 otherwise */ diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 8c7e90531a..0bdb2851ec 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -23101,7 +23101,7 @@ qemuDomainGetGuestInfo(virDomainPtr dom, g_autofree char *hostname = NULL; unsigned int supportedTypes = types; int rc; - int nfs = 0; + size_t nfs = 0; qemuAgentFSInfoPtr *agentfsinfo = NULL; size_t i; @@ -23154,9 +23154,13 @@ qemuDomainGetGuestInfo(virDomainPtr dom, } } if (supportedTypes & VIR_DOMAIN_GUEST_INFO_FILESYSTEM) { - rc = nfs = qemuAgentGetFSInfo(agent, &agentfsinfo); - if (rc < 0 && !(rc == -2 && types == 0)) - goto exitagent; + rc = qemuAgentGetFSInfo(agent, &agentfsinfo); + if (rc < 0) { + if (!(rc == -2 && types == 0)) + goto exitagent; + } else { + nfs = rc; + } } ret = 0; -- 2.25.1