From patchwork Fri Apr 26 11:44:32 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 239827 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 903352C010E for ; Fri, 26 Apr 2013 21:51:04 +1000 (EST) Received: from localhost ([::1]:56032 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UVhB8-0007cs-E6 for incoming@patchwork.ozlabs.org; Fri, 26 Apr 2013 07:51:02 -0400 Received: from eggs.gnu.org ([208.118.235.92]:49579) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UVh5b-00083L-7d for qemu-devel@nongnu.org; Fri, 26 Apr 2013 07:45:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UVh5X-0001Qt-PQ for qemu-devel@nongnu.org; Fri, 26 Apr 2013 07:45:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:28919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UVh5X-0001QR-Fj for qemu-devel@nongnu.org; Fri, 26 Apr 2013 07:45:15 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r3QBjEaW019798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 26 Apr 2013 07:45:14 -0400 Received: from localhost (ovpn-112-51.ams2.redhat.com [10.36.112.51]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r3QBjDcv020968; Fri, 26 Apr 2013 07:45:14 -0400 From: Stefan Hajnoczi To: Date: Fri, 26 Apr 2013 13:44:32 +0200 Message-Id: <1366976682-10251-13-git-send-email-stefanha@redhat.com> In-Reply-To: <1366976682-10251-1-git-send-email-stefanha@redhat.com> References: <1366976682-10251-1-git-send-email-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Kevin Wolf , Anthony Liguori , Stefan Hajnoczi Subject: [Qemu-devel] [PATCH 06/11] rbd: Fix use after free in rbd_open() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Kevin Wolf Commit a9ccedc3 frees the QemuOpts for the driver-specific options immediately, even though it still needs the filename string that is contained there. This doesn't work. Move the deletion of the QemuOpts to the end of the function where its content isn't needed any more. Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake Signed-off-by: Stefan Hajnoczi --- block/rbd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/block/rbd.c b/block/rbd.c index 1826411..0f2608b 100644 --- a/block/rbd.c +++ b/block/rbd.c @@ -478,20 +478,20 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags) } filename = qemu_opt_get(opts, "filename"); - qemu_opts_del(opts); if (qemu_rbd_parsename(filename, pool, sizeof(pool), snap_buf, sizeof(snap_buf), s->name, sizeof(s->name), conf, sizeof(conf)) < 0) { - return -EINVAL; + r = -EINVAL; + goto failed_opts; } clientname = qemu_rbd_parse_clientname(conf, clientname_buf); r = rados_create(&s->cluster, clientname); if (r < 0) { error_report("error initializing"); - return r; + goto failed_opts; } s->snap = NULL; @@ -557,6 +557,7 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags) NULL, qemu_rbd_aio_flush_cb, s); + qemu_opts_del(opts); return 0; failed: @@ -566,6 +567,8 @@ failed_open: failed_shutdown: rados_shutdown(s->cluster); g_free(s->snap); +failed_opts: + qemu_opts_del(opts); return r; }