How to reproduce:
1. Extract test images from test/data/ldm-data.tar.xz
2. losetup --show -f test/data/ldm-2003r2-simple-1.img
Let's assume image file was associated with /dev/loop0
3. ldmtool -d /dev/loop0 create all
Result: One LDM volume which contains all required components on the
associated loop device will be mapped but application crashes on further
attempt to do the same for incomplete volumes with error "Error in
`ldmtool': free(): invalid pointer: 0x.......".
Reason: _dm_create_spanned and _dm_create_striped functions define
static local variable "static GString *name" which is at the same time a
function return value. It is passed up to the call stack and is freed
in _ldm_vol_action function. An attempt to free the same pointer will
be made if ldmtool successfully creates some volume first and then will
try to create incomplete volume. Which will cause application crash.
---
src/ldm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ldm.c b/src/ldm.c
index 19a0663..372b0d7 100644
--- a/src/ldm.c
+++ b/src/ldm.c
@@ -2615,7 +2615,7 @@ _dm_create_part(const LDMPartitionPrivate * const part,
uint32_t cookie,
static GString *
_dm_create_spanned(const LDMVolumePrivate * const vol, GError ** const err)
{
- static GString *name = NULL;
+ GString *name = NULL;
guint i = 0;
struct dm_target *targets = g_malloc(sizeof(*targets) * vol->parts->len);
@@ -2682,7 +2682,7 @@ out:
static GString *
_dm_create_striped(const LDMVolumePrivate * const vol, GError ** const err)
{
- static GString *name = NULL;
+ GString *name = NULL;
struct dm_target target;
target.start = 0;
--
2.17.0
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs
