rbd: Fix use after free in qemu_rbd_set_keypairs() error path

If we want to include the invalid option name in the error message, we can't free the string earlier than that. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 71c87815f9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2018-02-16 19:14:55 +01:00 · 2018-02-16 19:14:55 +01:00 · 4f81878152
parent 6f36bd3969
commit 4f81878152
1 changed files with 2 additions and 1 deletions
--- a/block/rbd.c
+++ b/block/rbd.c
@ -265,13 +265,14 @@ static int qemu_rbd_set_keypairs(rados_t cluster, const char *keypairs_json,
        key = qstring_get_str(name);

        ret = rados_conf_set(cluster, key, qstring_get_str(value));
-        QDECREF(name);
        QDECREF(value);
        if (ret < 0) {
            error_setg_errno(errp, -ret, "invalid conf option %s", key);
+            QDECREF(name);
            ret = -EINVAL;
            break;
        }
+        QDECREF(name);
    }

    QDECREF(keypairs);