Re: [Qemu-devel] [PATCH v4 02/28] io: avoid double-free when closing QIOChannelBuffer

[Dr. David Alan Gilbert]

* Daniel P. Berrange (berra...@redhat.com) wrote:
> The QIOChannelBuffer's close implementation will free
> the internal data buffer. It failed to reset the pointer
> to NULL though, so when the object is later finalized
> it will free it a second time with predictable crash.
> 
> Signed-off-by: Daniel P. Berrange 
> ---
>  io/channel-buffer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/io/channel-buffer.c b/io/channel-buffer.c
> index 3e5117b..43d7959 100644
> --- a/io/channel-buffer.c
> +++ b/io/channel-buffer.c
> @@ -140,6 +140,7 @@ static int qio_channel_buffer_close(QIOChannel *ioc,
>  QIOChannelBuffer *bioc = QIO_CHANNEL_BUFFER(ioc);
>  
>  g_free(bioc->data);
> +bioc->data = NULL;
>  bioc->capacity = bioc->usage = bioc->offset = 0;

Would it be better to call qui_channel_buffer_finalize(bioc) here,
and put the data = NULL in there?

(You could split this out of the series since it could go in any time?)

Dave

>  
>  return 0;
> -- 
> 2.5.0
> 
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

[Qemu-devel] [PATCH v4 02/28] io: avoid double-free when closing QIOChannelBuffer

[Daniel P. Berrange]

The QIOChannelBuffer's close implementation will free
the internal data buffer. It failed to reset the pointer
to NULL though, so when the object is later finalized
it will free it a second time with predictable crash.

Signed-off-by: Daniel P. Berrange 
---
 io/channel-buffer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/io/channel-buffer.c b/io/channel-buffer.c
index 3e5117b..43d7959 100644
--- a/io/channel-buffer.c
+++ b/io/channel-buffer.c
@@ -140,6 +140,7 @@ static int qio_channel_buffer_close(QIOChannel *ioc,
 QIOChannelBuffer *bioc = QIO_CHANNEL_BUFFER(ioc);
 
 g_free(bioc->data);
+bioc->data = NULL;
 bioc->capacity = bioc->usage = bioc->offset = 0;
 
 return 0;
-- 
2.5.0