From 871e10fc959afd9c56bd1f512d89ce591d2207b9 Mon Sep 17 00:00:00 2001
From: "Jason J. Herne" <jjherne@linux.vnet.ibm.com>
Date: Tue, 26 Jan 2016 13:25:17 -0500
Subject: [PATCH] Fix libvirtd free() segfault when migrating guest with
 deleted open vswitch port

libvirtd crashes on free()ing portData for an open vswitch port if that port
was deleted.  To reproduce:

ovs-vsctl del-port vnet0
virsh migrate --live kvm1 qemu+ssh://dstHost/system

Error message:
libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 ***

The problem is that virCommandRun can return an empty string in the event that
the port being queried does not exist. When this happens then we are
unconditionally overwriting a newline character at position strlen()-1. When
strlen is 0, we overwrite memory that does not belong to the string.

The fix: Only overwrite the newline if the string is not empty.

Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
---
 src/util/virnetdevopenvswitch.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
index 6780fb52c8..db01dcf2c0 100644
--- a/src/util/virnetdevopenvswitch.c
+++ b/src/util/virnetdevopenvswitch.c
@@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname)
         goto cleanup;
     }
 
-    /* Wipeout the newline */
-    (*migrate)[strlen(*migrate) - 1] = '\0';
+    /* Wipeout the newline, if it exists */
+    if (strlen(*migrate) > 0)
+        (*migrate)[strlen(*migrate) - 1] = '\0';
+
     ret = 0;
  cleanup:
     virCommandFree(cmd);
-- 
2.39.5