sheepdog: Defuse time bomb in sd_open() error handling
When qemu_opts_absorb_qdict() fails, sd_open() closes stdin, because sd->fd is still zero. Fortunately, qemu_opts_absorb_qdict() can't fail, because: 1. it only fails when qemu_opt_parse() fails, and 2. the only member of runtime_opts.desc[] is a QEMU_OPT_STRING, and 3. qemu_opt_parse() can't fail for QEMU_OPT_STRING. Defuse this ticking time bomb by jumping behind the file descriptor cleanup on error. Also do that for the error paths where sd->fd is still -1. The file descriptor cleanup happens to do nothing then, but let's not rely on that here. While there, rename label out to err, because it's on the error path, not the normal path out of the function. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
5fe31c25cc
commit
cbc488ee2a
@ -1392,7 +1392,7 @@ static int sd_open(BlockDriverState *bs, QDict *options, int flags,
|
|||||||
if (local_err) {
|
if (local_err) {
|
||||||
error_propagate(errp, local_err);
|
error_propagate(errp, local_err);
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto err_no_fd;
|
||||||
}
|
}
|
||||||
|
|
||||||
filename = qemu_opt_get(opts, "filename");
|
filename = qemu_opt_get(opts, "filename");
|
||||||
@ -1412,17 +1412,17 @@ static int sd_open(BlockDriverState *bs, QDict *options, int flags,
|
|||||||
}
|
}
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
error_setg(errp, "Can't parse filename");
|
error_setg(errp, "Can't parse filename");
|
||||||
goto out;
|
goto err_no_fd;
|
||||||
}
|
}
|
||||||
s->fd = get_sheep_fd(s, errp);
|
s->fd = get_sheep_fd(s, errp);
|
||||||
if (s->fd < 0) {
|
if (s->fd < 0) {
|
||||||
ret = s->fd;
|
ret = s->fd;
|
||||||
goto out;
|
goto err_no_fd;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = find_vdi_name(s, vdi, snapid, tag, &vid, true, errp);
|
ret = find_vdi_name(s, vdi, snapid, tag, &vid, true, errp);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
goto out;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1443,7 +1443,7 @@ static int sd_open(BlockDriverState *bs, QDict *options, int flags,
|
|||||||
fd = connect_to_sdog(s, errp);
|
fd = connect_to_sdog(s, errp);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
ret = fd;
|
ret = fd;
|
||||||
goto out;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
buf = g_malloc(SD_INODE_SIZE);
|
buf = g_malloc(SD_INODE_SIZE);
|
||||||
@ -1454,7 +1454,7 @@ static int sd_open(BlockDriverState *bs, QDict *options, int flags,
|
|||||||
|
|
||||||
if (ret) {
|
if (ret) {
|
||||||
error_setg(errp, "Can't read snapshot inode");
|
error_setg(errp, "Can't read snapshot inode");
|
||||||
goto out;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(&s->inode, buf, sizeof(s->inode));
|
memcpy(&s->inode, buf, sizeof(s->inode));
|
||||||
@ -1466,12 +1466,12 @@ static int sd_open(BlockDriverState *bs, QDict *options, int flags,
|
|||||||
qemu_opts_del(opts);
|
qemu_opts_del(opts);
|
||||||
g_free(buf);
|
g_free(buf);
|
||||||
return 0;
|
return 0;
|
||||||
out:
|
|
||||||
|
err:
|
||||||
aio_set_fd_handler(bdrv_get_aio_context(bs), s->fd,
|
aio_set_fd_handler(bdrv_get_aio_context(bs), s->fd,
|
||||||
false, NULL, NULL, NULL, NULL);
|
false, NULL, NULL, NULL, NULL);
|
||||||
if (s->fd >= 0) {
|
|
||||||
closesocket(s->fd);
|
closesocket(s->fd);
|
||||||
}
|
err_no_fd:
|
||||||
qemu_opts_del(opts);
|
qemu_opts_del(opts);
|
||||||
g_free(buf);
|
g_free(buf);
|
||||||
return ret;
|
return ret;
|
||||||
|
Loading…
Reference in New Issue
Block a user