From cec0f6ad7c8de43ec16d200b437533111f991c82 Mon Sep 17 00:00:00 2001
From: wangmeiyang <wangmeiyang@xfusion.com>
Date: Fri, 21 Apr 2023 14:22:52 +0800
Subject: [PATCH] remote: fix double free of migration params on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The remote_*_args methods will generally borrow pointers
passed in the caller, so should not be freed.

On failure of the virTypedParamsSerialize method, however,
xdr_free was being called. This is presumably because it
was thought that the params may have been partially
serialized and need cleaning up. This is incorrect, as
virTypedParamsSerialize takes care to cleanup partially
serialized data. This xdr_free call would lead to free'ing
the borrowed cookie pointers, which would be a double free.

origin commit: https://gitlab.com/libvirt/libvirt/-/commit/2b5f9251129d61cfc6cffa63d367af27850602a4
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Daniel P. Berrang¨¦ <berrange@redhat.com>
Signed-off-by: Meiyang Wang <wangmeiyang@xfusion.com>
---
 src/remote/remote_driver.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 9c272b4ff8..fb34b1e727 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -7067,8 +7067,6 @@ remoteDomainMigrateBegin3Params(virDomainPtr domain,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_begin3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7129,8 +7127,6 @@ remoteDomainMigratePrepare3Params(virConnectPtr dconn,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7211,8 +7207,6 @@ remoteDomainMigratePrepareTunnel3Params(virConnectPtr dconn,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_prepare_tunnel3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7297,8 +7291,6 @@ remoteDomainMigratePerform3Params(virDomainPtr dom,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_perform3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7364,8 +7356,6 @@ remoteDomainMigrateFinish3Params(virConnectPtr dconn,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_finish3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
@@ -7433,8 +7423,6 @@ remoteDomainMigrateConfirm3Params(virDomainPtr domain,
                                 (virTypedParameterRemotePtr *) &args.params.params_val,
                                 &args.params.params_len,
                                 VIR_TYPED_PARAM_STRING_OKAY) < 0) {
-        xdr_free((xdrproc_t) xdr_remote_domain_migrate_confirm3_params_args,
-                 (char *) &args);
         goto cleanup;
     }
 
-- 
2.27.0