[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-4.0] migration/ram.c: Fix use-after-free in
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH for-4.0] migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet() |
Date: |
Wed, 10 Apr 2019 02:47:45 +0700 |
On Tue, 9 Apr 2019 at 22:42, Juan Quintela <address@hidden> wrote:
>
> Peter Maydell <address@hidden> wrote:
> > Coverity points out (CID 1400442) that in this code:
> >
> > if (packet->pages_alloc > p->pages->allocated) {
> > multifd_pages_clear(p->pages);
> > multifd_pages_init(packet->pages_alloc);
> > }
> >
> > we free p->pages in multifd_pages_clear() but continue to
> > use it in the following code. We also leak memory, because
> > multifd_pages_init() returns the pointer to a new MultiFDPages_t
> > struct but we are ignoring its return value.
> >
> > Fix both of these bugs by adding the missing assignment of
> > the newly created struct to p->pages.
> >
> > Signed-off-by: Peter Maydell <address@hidden>
> > ---
>
> ouch,
>
> good catch.
>
> Reviewed-by: Juan Quintela <address@hidden>
Thanks for the quick review. Applied to master for rc3.
-- PMM