Fix dereference of potentially freed pointer in qemudDomainSaveFlags

The pointer to the xml describing the domain is saved into an object
prior to calling VIR_REALLOC_N() to make the size of the memory it
points to a multiple of QEMU_MONITOR_MIGRATE_TO_FILE_BS. If that
operation needs to allocate new memory, the pointer that was saved is
no longer valid.

To avoid this situation, adjust the size *before* saving the pointer.

(This showed up when experimenting with very large values of
QEMU_MONITOR_MIGRATE_TO_FILE_BS).

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6f77ea0bd3d0d720269446524bc7a32d597317d8..2dc32fa01b2b3907db1220b62feca7afa2b9d4cc 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -4959,12 +4959,6 @@ static int qemudDomainSaveFlag(virDomainPtr dom, const char *path,
         is_reg = S_ISREG(sb.st_mode);
     }
 
-
-    /* Setup hook data needed by virFileOperation hook function */
-    hdata.dom = dom;
-    hdata.path = path;
-    hdata.xml = xml;
-    hdata.header = &header;
     offset = sizeof(header) + header.xml_len;
 
     /* Due to way we append QEMU state on our header with dd,
@@ -4985,6 +4979,12 @@ static int qemudDomainSaveFlag(virDomainPtr dom, const char *path,
         header.xml_len += pad;
     }
 
+    /* Setup hook data needed by virFileOperation hook function */
+    hdata.dom = dom;
+    hdata.path = path;
+    hdata.xml = xml;
+    hdata.header = &header;
+
     /* Write header to file, followed by XML */
 
     /* First try creating the file as root */