diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2011-11-25 12:06:22 +0100 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2012-01-10 13:36:27 -0600 |
| commit | 6061f16a8a119a46e61f2ddbabdb58f83e8857f7 (patch) | |
| tree | b053b6fdb0260d75bd00ebb7cf67a0cdec3160de | |
| parent | 23201c64a789cf948fedcea221a4b6e197fcd628 (diff) | |
| download | qemu-6061f16a8a119a46e61f2ddbabdb58f83e8857f7.zip qemu-6061f16a8a119a46e61f2ddbabdb58f83e8857f7.tar.gz qemu-6061f16a8a119a46e61f2ddbabdb58f83e8857f7.tar.bz2 | |
qiov: prevent double free or use-after-free
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again. While I do not know any
example in the tree, I observed this using virtio-scsi (and SCSI
scatter/gather) when canceling DMA requests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
| -rw-r--r-- | cutils.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov) { assert(qiov->nalloc != -1); + qemu_iovec_reset(qiov); g_free(qiov->iov); + qiov->nalloc = 0; + qiov->iov = NULL; } void qemu_iovec_reset(QEMUIOVector *qiov) |