Patchwork [01/11] qiov: prevent double free or use-after-free

login
register
mail settings
Submitter Paolo Bonzini
Date Dec. 6, 2011, 11:01 a.m.
Message ID <1323169292-21661-2-git-send-email-pbonzini@redhat.com>
Download mbox | patch
Permalink /patch/129614/
State New
Headers show

Comments

Paolo Bonzini - Dec. 6, 2011, 11:01 a.m.
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again.  This can be observed with
virtio-scsi, because canceling DMA requests can happen more easily with
SCSI (due to task management functions) than with other backends.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 cutils.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Patch

diff --git a/cutils.c b/cutils.c
index 6db6304..24b3fe3 100644
--- a/cutils.c
+++ b/cutils.c
@@ -217,7 +217,10 @@  void qemu_iovec_destroy(QEMUIOVector *qiov)
 {
     assert(qiov->nalloc != -1);
 
+    qemu_iovec_reset(qiov);
     g_free(qiov->iov);
+    qiov->nalloc = 0;
+    qiov->iov = NULL;
 }
 
 void qemu_iovec_reset(QEMUIOVector *qiov)