Re: [Xen-devel] [PATCH for-4.5] libxc: don't leak buffer containing the uncompressed PV kernel

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Mon, 2014-11-17 at 09:16 +0000, Wei Liu wrote:
> > @@ -508,6 +522,10 @@ static int xc_try_lzo1x_decode(
> >              if ( out_len != dst_len )
> >                  break;
> >  
> > +            msg = "Error registering stream output";
> > +            if ( xc_dom_register_external(dom, out_buf, out_len) )
> > +                break;
> > +
> 
> Is this hunk problematic?
> 
> It's called in a loop. Looks like it may register the same ptr multiple
> times which leads to freeing same ptr multiple times later.

Yes, it is wrong. I mistakenly read this as being the "input stream
done" case, but it's just "a chunk is done". I think the right place to
add this new code is actually in the if true part of:
        dst_len = lzo_read_32(cur);
        if ( !dst_len )
            return 0;

That's the only return within the loop, and any break would take us to
the function epilogue which is the error case and frees the buffer.

Thanks for checking!

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel