From f2360620fbebc24a0e2d58d0038ed3a007d28521 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 31 Oct 2011 11:36:32 +0100
Subject: qemu-io: Handle create_iovec errors

Callers of create_iovec() didn't check for failure and continued with
uninitialised data in error cases. This patch adds checks to each call.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 qemu-io.c | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

(limited to 'qemu-io.c')

diff --git a/qemu-io.c b/qemu-io.c
index 5af887e057..1c49d447aa 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -596,6 +596,9 @@ static int readv_f(int argc, char **argv)
 
     nr_iov = argc - optind;
     buf = create_iovec(&qiov, &argv[optind], nr_iov, 0xab);
+    if (buf == NULL) {
+        return 0;
+    }
 
     gettimeofday(&t1, NULL);
     cnt = do_aio_readv(&qiov, offset, &total);
@@ -850,6 +853,9 @@ static int writev_f(int argc, char **argv)
 
     nr_iov = argc - optind;
     buf = create_iovec(&qiov, &argv[optind], nr_iov, pattern);
+    if (buf == NULL) {
+        return 0;
+    }
 
     gettimeofday(&t1, NULL);
     cnt = do_aio_writev(&qiov, offset, &total);
@@ -950,8 +956,8 @@ static int multiwrite_f(int argc, char **argv)
         }
     }
 
-    reqs = g_malloc(nr_reqs * sizeof(*reqs));
-    buf = g_malloc(nr_reqs * sizeof(*buf));
+    reqs = g_malloc0(nr_reqs * sizeof(*reqs));
+    buf = g_malloc0(nr_reqs * sizeof(*buf));
     qiovs = g_malloc(nr_reqs * sizeof(*qiovs));
 
     for (i = 0; i < nr_reqs; i++) {
@@ -985,8 +991,12 @@ static int multiwrite_f(int argc, char **argv)
         nr_iov = j - optind;
 
         /* Build request */
+        buf[i] = create_iovec(&qiovs[i], &argv[optind], nr_iov, pattern);
+        if (buf[i] == NULL) {
+            goto out;
+        }
+
         reqs[i].qiov = &qiovs[i];
-        buf[i] = create_iovec(reqs[i].qiov, &argv[optind], nr_iov, pattern);
         reqs[i].sector = offset >> 9;
         reqs[i].nb_sectors = reqs[i].qiov->size >> 9;
 
@@ -1014,7 +1024,9 @@ static int multiwrite_f(int argc, char **argv)
 out:
     for (i = 0; i < nr_reqs; i++) {
         qemu_io_free(buf[i]);
-        qemu_iovec_destroy(&qiovs[i]);
+        if (reqs[i].qiov != NULL) {
+            qemu_iovec_destroy(&qiovs[i]);
+        }
     }
     g_free(buf);
     g_free(reqs);
@@ -1185,6 +1197,10 @@ static int aio_read_f(int argc, char **argv)
 
     nr_iov = argc - optind;
     ctx->buf = create_iovec(&ctx->qiov, &argv[optind], nr_iov, 0xab);
+    if (ctx->buf == NULL) {
+        free(ctx);
+        return 0;
+    }
 
     gettimeofday(&ctx->t1, NULL);
     acb = bdrv_aio_readv(bs, ctx->offset >> 9, &ctx->qiov,
@@ -1280,6 +1296,10 @@ static int aio_write_f(int argc, char **argv)
 
     nr_iov = argc - optind;
     ctx->buf = create_iovec(&ctx->qiov, &argv[optind], nr_iov, pattern);
+    if (ctx->buf == NULL) {
+        free(ctx);
+        return 0;
+    }
 
     gettimeofday(&ctx->t1, NULL);
     acb = bdrv_aio_writev(bs, ctx->offset >> 9, &ctx->qiov,
-- 
cgit v1.2.1