41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
|
commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1
|
||
|
Author: Peter Krempa <pkrempa@redhat.com>
|
||
|
Date: Fri Mar 12 10:16:11 2021 +0100
|
||
|
|
||
|
virLockSpaceNewPostExecRestart: Fix out-of-bounds array access
|
||
|
|
||
|
'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
|
||
|
'res->nOwners' doesn't contain the proper value until after the
|
||
|
allocation so 0 elements are allocated. The following loop which assumes
|
||
|
that the array has the right number of elements then accesses the
|
||
|
pointer out of bounds. The bug was also faithfully converted from
|
||
|
VIR_ALLOC_N to g_new0.
|
||
|
|
||
|
Fixes: 4a3d6ed5ee0
|
||
|
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
|
||
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
||
|
|
||
|
Index: libvirt-7.1.0/src/util/virlockspace.c
|
||
|
===================================================================
|
||
|
--- libvirt-7.1.0.orig/src/util/virlockspace.c
|
||
|
+++ libvirt-7.1.0/src/util/virlockspace.c
|
||
|
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR
|
||
|
const char *tmp;
|
||
|
virJSONValuePtr owners;
|
||
|
size_t j;
|
||
|
- size_t m;
|
||
|
|
||
|
res = g_new0(virLockSpaceResource, 1);
|
||
|
res->fd = -1;
|
||
|
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
- m = virJSONValueArraySize(owners);
|
||
|
+ res->nOwners = virJSONValueArraySize(owners);
|
||
|
res->owners = g_new0(pid_t, res->nOwners);
|
||
|
- res->nOwners = m;
|
||
|
|
||
|
for (j = 0; j < res->nOwners; j++) {
|
||
|
unsigned long long int owner;
|