qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 2/4] monitor: fix access freed memory


From: Alex Bennée
Subject: Re: [Qemu-devel] [PATCH 2/4] monitor: fix access freed memory
Date: Mon, 04 Aug 2014 10:01:09 +0100

zhanghailiang writes:

> The function monitor_fdset_dup_fd_find_remove() references member of 
> 'mon_fdset'
> which may be freed in function monitor_fdset_cleanup()
>
> Signed-off-by: zhanghailiang <address@hidden>
> ---
>  monitor.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/monitor.c b/monitor.c
> index 5bc70a6..41e46a6 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -2532,8 +2532,10 @@ static int monitor_fdset_dup_fd_find_remove(int 
> dup_fd, bool remove)
>  {
>      MonFdset *mon_fdset;
>      MonFdsetFd *mon_fdset_fd_dup;
> +    int64_t id = -1;
>  
>      QLIST_FOREACH(mon_fdset, &mon_fdsets, next) {
> +        id = mon_fdset->id;
>          QLIST_FOREACH(mon_fdset_fd_dup, &mon_fdset->dup_fds, next) {
>              if (mon_fdset_fd_dup->fd == dup_fd) {
>                  if (remove) {
> @@ -2542,7 +2544,7 @@ static int monitor_fdset_dup_fd_find_remove(int dup_fd, 
> bool remove)
>                          monitor_fdset_cleanup(mon_fdset);
>                      }
>                  }
> -                return mon_fdset->id;
> +                return id;
>              }
>          }
>      }

If monitor_fdset_cleanup closes the FD won't you now be passing an
invalid fd to the calling function?


-- 
Alex Bennée



reply via email to

[Prev in Thread] Current Thread [Next in Thread]