remote: fix crash on OOM

Bug introduced in commit 675464b.  On an OOM, this would try to
dereference a char* and free the contents as a pointer, which is
doomed to failure.

Adding a syntax check will prevent mistakes like this in the future.

* cfg.mk (sc_prohibit_internal_functions): New syntax check.
(exclude_file_name_regexp--sc_prohibit_internal_functions): Add
exemptions.
* daemon/remote.c (remoteRelayDomainEventIOError)
(remoteRelayDomainEventIOErrorReason)
(remoteRelayDomainEventGraphics, remoteRelayDomainEventBlockJob):
Use correct free function.

diff --git a/cfg.mk b/cfg.mk
index 95c5eff63c217d15a6ac2686bf07ecec588e378d..9f4aa3edef9eeae23f9c155f8ea1b18701af8565 100644 (file)
--- a/cfg.mk
+++ b/cfg.mk
@@ -212,7 +212,7 @@ useless_free_options =                              \
 # y virDomainWatchdogDefFree
 # n virDrvNodeGetCellsFreeMemory (returns int)
 # n virDrvNodeGetFreeMemory (returns long long)
-# n virFree (dereferences param)
+# n virFree - dereferences param
 # n virFreeError
 # n virHashFree (takes 2 args)
 # y virInterfaceDefFree
@@ -306,6 +306,12 @@ sc_flags_usage:
        halt='flags should be unsigned'                                 \
          $(_sc_search_regexp)
 
+# Avoid functions that should only be called via macro counterparts.
+sc_prohibit_internal_functions:
+       @prohibit='vir(Free|AllocN?|ReallocN|File(Close|Fclose|Fdopen)) *\(' \
+       halt='use VIR_ macros instead of internal functions'            \
+         $(_sc_search_regexp)
+
 # Avoid functions that can lead to double-close bugs.
 sc_prohibit_close:
        @prohibit='([^>.]|^)\<[fp]?close *\('                           \
@@ -706,6 +712,9 @@ exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
 
 exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/util\.c$$
 
+exclude_file_name_regexp--sc_prohibit_internal_functions = \
+  ^src/(util/(memory|util|virfile)\.[hc]|esx/esx_vi\.c)$$
+
 exclude_file_name_regexp--sc_prohibit_newline_at_end_of_diagnostic = \
   ^src/rpc/gendispatch\.pl$$
 

diff --git a/daemon/remote.c b/daemon/remote.c
index 74e759a2f81339cef62c967a2ea3cb4c2b268034..245d41caef3bbc553c6d53950e18439ee3aa2c54 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -250,8 +250,8 @@ static int remoteRelayDomainEventIOError(virConnectPtr conn ATTRIBUTE_UNUSED,
     return 0;
 mem_error:
     virReportOOMError();
-    virFree(data.srcPath);
-    virFree(data.devAlias);
+    VIR_FREE(data.srcPath);
+    VIR_FREE(data.devAlias);
     return -1;
 }
 
@@ -296,9 +296,9 @@ static int remoteRelayDomainEventIOErrorReason(virConnectPtr conn ATTRIBUTE_UNUS
 
 mem_error:
     virReportOOMError();
-    virFree(data.srcPath);
-    virFree(data.devAlias);
-    virFree(data.reason);
+    VIR_FREE(data.srcPath);
+    VIR_FREE(data.devAlias);
+    VIR_FREE(data.reason);
     return -1;
 }
 
@@ -374,17 +374,17 @@ static int remoteRelayDomainEventGraphics(virConnectPtr conn ATTRIBUTE_UNUSED,
 
 mem_error:
     virReportOOMError();
-    virFree(data.authScheme);
-    virFree(data.local.node);
-    virFree(data.local.service);
-    virFree(data.remote.node);
-    virFree(data.remote.service);
+    VIR_FREE(data.authScheme);
+    VIR_FREE(data.local.node);
+    VIR_FREE(data.local.service);
+    VIR_FREE(data.remote.node);
+    VIR_FREE(data.remote.service);
     if (data.subject.subject_val != NULL) {
         for (i = 0 ; i < data.subject.subject_len ; i++) {
-            virFree(data.subject.subject_val[i].type);
-            virFree(data.subject.subject_val[i].name);
+            VIR_FREE(data.subject.subject_val[i].type);
+            VIR_FREE(data.subject.subject_val[i].name);
         }
-        virFree(data.subject.subject_val);
+        VIR_FREE(data.subject.subject_val);
     }
     return -1;
 }
@@ -422,7 +422,7 @@ static int remoteRelayDomainEventBlockJob(virConnectPtr conn ATTRIBUTE_UNUSED,
 
 mem_error:
     virReportOOMError();
-    virFree(data.path);
+    VIR_FREE(data.path);
     return -1;
 }