Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1180136 - Memory leak when parsing invalid network XML
Memory leak when parsing invalid network XML
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jiri Denemark
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-08 08:25 EST by Jiri Denemark
Modified: 2015-03-05 02:48 EST (History)
5 users (show)

See Also:
Fixed In Version: libvirt-1.2.8-13.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 02:48:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0323 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2015-03-05 07:10:54 EST

  None (edit)
Description Jiri Denemark 2015-01-08 08:25:37 EST
Description of problem:

When parsing network XML with invalid //bridge/macTableManager attribute, libvirt leaks memory used to store the content of the attribute. Found by coverity:

RESOURCE_LEAK:
  39. src/conf/network_conf.c:2117: var_assign: Assigning: "tmp" = storage returned from "virXPathString("string(./bridge[1]/@macTableManager)", ctxt)".
  41. src/conf/network_conf.c:2119: noescape: Resource "tmp" is not freed or pointed-to in "virNetworkBridgeMACTableManagerTypeFromString".
  42. src/conf/network_conf.c:58:1: noescape: "virNetworkBridgeMACTableManagerTypeFromString(char const *)" does not free or save its pointer parameter "type".
  44. src/conf/network_conf.c:2121: noescape: Resource "tmp" is not freed or pointed-to in "virReportErrorHelper".
  47. src/conf/network_conf.c:2353: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to. 

Upstream is not affected because of unrelated commit 3aa05241 which has not been backported.

The memory leak was caused by a backport of 40961978 without noticing we don't have the change made by 3aa05241.

Version-Release number of selected component (if applicable):

libvirt-1.2.8-12.el7

How reproducible:

100%

Steps to Reproduce:
1. "virsh net-define" on an XML with invalid value in //bridge/macTableManager
Comment 3 hongming 2015-01-21 21:40:34 EST
I can reproduce it using libvirt-1.2.8-12.el7.x86_64. 

# rpm -q libvirt
libvirt-1.2.8-12.el7.x86_64

# cat bridge-net.xml 
<network>
  <name>br-net</name>
  <forward mode='bridge'/>
  <bridge name='br0' macTableManager='xxxxx'/>
</network>

# virsh net-define bridge-net.xml
error: Failed to define network from bridge-net.xml
error: XML error: Invalid macTableManager setting ' xxxxx' in network 'br-net'

In another terminal, start valgrind
# valgrind --leak-check=full --show-leak-kinds=all libvirtd

......

==18771== LEAK SUMMARY:
==18771==    definitely lost: 7 bytes in 1 blocks
==18771==    indirectly lost: 0 bytes in 0 blocks
==18771==      possibly lost: 0 bytes in 0 blocks
==18771==    still reachable: 656,174 bytes in 8,246 blocks
==18771==         suppressed: 0 bytes in 0 blocks
==18771== 
==18771== For counts of detected and suppressed errors, rerun with: -v
==18771== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)

==============================================================================
Upgrade libvirt to libvirt-1.2.8-13.el7.x86_64. Valgrind doesn't report memory leak.



# rpm -q libvirt
libvirt-1.2.8-13.el7.x86_64


# virsh net-define bridge-net.xml
error: Failed to define network from bridge-net.xml
error: XML error: Invalid macTableManager setting ' xxxxx' in network 'br-net'


# valgrind --leak-check=full --show-leak-kinds=all libvirtd

......

==19121== LEAK SUMMARY:
==19121==    definitely lost: 0 bytes in 0 blocks
==19121==    indirectly lost: 0 bytes in 0 blocks
==19121==      possibly lost: 0 bytes in 0 blocks
==19121==    still reachable: 656,030 bytes in 8,243 blocks
==19121==         suppressed: 0 bytes in 0 blocks
==19121== 
==19121== For counts of detected and suppressed errors, rerun with: -v
==19121== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
Comment 5 errata-xmlrpc 2015-03-05 02:48:45 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.