From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 9 Jul 2014 07:37:20 +0000 (+0200)
Subject: virEventPollDispatchHandles: Honour array boundaries
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=52f50a716085616cb322f2060ce4377b498af6ad;p=people%2Fliuw%2Flibxenctrl-split%2Flibvirt.git

virEventPollDispatchHandles: Honour array boundaries

When dispatching events from the event loop, the array of registered
handles is searched to see what handles happened an event on. However,
the array is searched in weird way: the check for the array boundaries
is at the end, so we may touch the elements after the end of the
array:

==10434== Invalid read of size 4
==10434==    at 0x52D06B6: virEventPollDispatchHandles (vireventpoll.c:486)
==10434==    by 0x52D10E4: virEventPollRunOnce (vireventpoll.c:660)
==10434==    by 0x52CF207: virEventRunDefaultImpl (virevent.c:308)
==10434==    by 0x1639D1: virNetServerRun (virnetserver.c:1139)
==10434==    by 0x1220DC: main (libvirtd.c:1507)
==10434==  Address 0xc11ff04 is 4 bytes after a block of size 960 alloc'd
==10434==    at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10434==    by 0x52AD378: virReallocN (viralloc.c:245)
==10434==    by 0x52AD46E: virExpandN (viralloc.c:294)
==10434==    by 0x52AD5B1: virResizeN (viralloc.c:352)
==10434==    by 0x52CF2EC: virEventPollAddHandle (vireventpoll.c:116)
==10434==    by 0x52CEF5B: virEventAddHandle (virevent.c:78)
==10434==    by 0x11F69A90: nodeStateInitialize (node_device_udev.c:1797)
==10434==    by 0x53C3C89: virStateInitialize (libvirt.c:743)
==10434==    by 0x120563: daemonRunStateInit (libvirtd.c:919)
==10434==    by 0x5317719: virThreadHelper (virthread.c:197)
==10434==    by 0x8376F39: start_thread (in /lib64/libpthread-2.17.so)
==10434==    by 0x8A7F9FC: clone (in /lib64/libc-2.17.so)

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/util/vireventpoll.c b/src/util/vireventpoll.c
index 528b24c85..13f40dcb1 100644
--- a/src/util/vireventpoll.c
+++ b/src/util/vireventpoll.c
@@ -483,9 +483,9 @@ static int virEventPollDispatchHandles(int nfds, struct pollfd *fds)
      * fds might be added on end of list, and they're not
      * in the fds array we've got */
     for (i = 0, n = 0; n < nfds && i < eventLoop.handlesCount; n++) {
-        while ((eventLoop.handles[i].fd != fds[n].fd ||
-                eventLoop.handles[i].events == 0) &&
-               i < eventLoop.handlesCount) {
+        while (i < eventLoop.handlesCount &&
+               (eventLoop.handles[i].fd != fds[n].fd ||
+                eventLoop.handles[i].events == 0)) {
             i++;
         }
         if (i == eventLoop.handlesCount)