commit 795527548fea79902ea4ce32747e069944cf3e61
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu Sep 26 08:12:39 2013 +0200

    conf: Don't crash on invalid chardev source definition of RNGs and other
    
    Since commit 297c99a5 an invalid source definition XML of a character
    device that is used as backend for RNG devices, smartcards and redirdevs
    causes crash of the daemon when parsing such a definition.
    
    The device types mentioned above are not a part of a regular character
    device but are backends for other types. Thus when parsing such device
    NULL is passed as the argument @chr_def. Later when checking the
    validity of the definition @chr_def was dereferenced when parsing a UNIX
    socket backend with missing path of the socket and crashed the daemon.
    
    Sample offending configuration:
      <devices>
      ...
        <rng model='virtio'>
          <backend model='egd' type='unix'>
            <source mode='bind' service='1024'/>
          </backend>
        </rng>
      </devices>
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196

Index: libvirt-1.1.2/src/conf/domain_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/conf/domain_conf.c
+++ libvirt-1.1.2/src/conf/domain_conf.c
@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC
     case VIR_DOMAIN_CHR_TYPE_UNIX:
         /* path can be auto generated */
         if (!path &&
-            chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) {
+            (!chr_def ||
+             chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) {
             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                            _("Missing source path attribute for char device"));
             goto error;
Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
===================================================================
--- /dev/null
+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='usb' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'/>
+    <rng model='virtio'>
+      <backend model='egd' type='unix'>
+        <!-- https://bugzilla.redhat.com/show_bug.cgi?id=1012196 -->
+        <source mode='connect' host='1.2.3.4' service='1234'/>
+      </backend>
+    </rng>
+  </devices>
+</domain>
Index: libvirt-1.1.2/tests/qemuxml2argvtest.c
===================================================================
--- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c
+++ libvirt-1.1.2/tests/qemuxml2argvtest.c
@@ -973,6 +973,8 @@ mymain(void)
             QEMU_CAPS_OBJECT_RNG_RANDOM);
     DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG,
             QEMU_CAPS_OBJECT_RNG_EGD);
+    DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE,
+            QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD);
     DO_TEST("virtio-rng-ccw",
             QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
             QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW,