Fix crash on OOM in qemuAddRBDHost

When parsing the RBD hosts, it increments the 'nhosts' counter
before increasing the 'hosts' array allocation. If an OOM then
occurs when increasing the array allocation, the cleanup block
will attempt to access beyond the end of the array. Switch
to using VIR_EXPAND_N instead of VIR_REALLOC_N to protect against
this mistake

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index e98aed56010814da75c2711394313b29b50f322d..1819bf6ac12a43701f57a85ecb7bfad539e24dc3 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -3232,9 +3232,8 @@ static int qemuAddRBDHost(virDomainDiskDefPtr disk, char *hostport)
     size_t skip;
     char **parts;
 
-    disk->nhosts++;
-    if (VIR_REALLOC_N(disk->hosts, disk->nhosts) < 0)
-        goto error;
+    if (VIR_EXPAND_N(disk->hosts, disk->nhosts, 1) < 0)
+        return -1;
 
     if ((port = strchr(hostport, ']'))) {
         /* ipv6, strip brackets */