qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)

The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index d7805ce9433116f54438da40020c857787894f04..b7d204f483b56f694ef8c671d7f60edde492d4a8 100644 (file)
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -203,9 +203,6 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     s->refcount_table_size =
         header.refcount_table_clusters << (s->cluster_bits - 3);
 
-    s->snapshots_offset = header.snapshots_offset;
-    s->nb_snapshots = header.nb_snapshots;
-
     /* read the level 1 table */
     s->l1_size = header.l1_size;
     s->l1_vm_state_index = size_to_l1(s, header.size);
@@ -273,6 +270,11 @@ static int qcow2_open(BlockDriverState *bs, int flags)
         }
         bs->backing_file[len] = '\0';
     }
+
+    /* Internal snapshots */
+    s->snapshots_offset = header.snapshots_offset;
+    s->nb_snapshots = header.nb_snapshots;
+
     if (qcow2_read_snapshots(bs) < 0) {
         ret = -EINVAL;
         goto fail;