From: Josh Durgin <josh.durgin@dreamhost.com>
Date: Wed, 7 Dec 2011 01:05:10 +0000 (-0800)
Subject: rbd: always set out parameter in qemu_rbd_snap_list
X-Git-Tag: qemu-xen-4.2.0~43
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e47c212cb5af148ab6d9dcf49bc0e054fe9c2e1d;p=qemu-upstream-4.2-testing.git

rbd: always set out parameter in qemu_rbd_snap_list

The caller expects psn_tab to be NULL when there are no snapshots or
an error occurs. This results in calling g_free on an invalid address.

Reported-by: Oliver Francke <Oliver@filoo.de>
Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---

diff --git a/block/rbd.c b/block/rbd.c
index 9088c52d2..54a696173 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -808,7 +808,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
     } while (snap_count == -ERANGE);
 
     if (snap_count <= 0) {
-        return snap_count;
+        goto done;
     }
 
     sn_tab = g_malloc0(snap_count * sizeof(QEMUSnapshotInfo));
@@ -827,6 +827,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
     }
     rbd_snap_list_end(snaps);
 
+ done:
     *psn_tab = sn_tab;
     return snap_count;
 }