security: plug regression introduced in disk probe logic

Regression introduced in commit d6623003 (v0.8.8) - using the
wrong sizeof operand meant that security manager private data
was overlaying the allowDiskFormatProbing member of struct
_virSecurityManager.  This reopens disk probing, which was
supposed to be prevented by the solution to CVE-2010-2238.

* src/security/security_manager.c
(virSecurityManagerGetPrivateData): Use correct offset.

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0246dd88bd3d23aa2be5ec8a5694a9a9ee752e55..6f0becdb78cf3d7ebe6e06876713375dbd026cff 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -107,7 +107,9 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
 
 void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr)
 {
-    return ((char*)mgr) + sizeof(mgr);
+    /* This accesses the memory just beyond mgr, which was allocated
+     * via VIR_ALLOC_VAR earlier.  */
+    return mgr + 1;
 }