From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Mon, 30 Jan 2017 10:08:50 +0000 (+0000)
Subject: tools/libxc: Fix missing va_end() in do_dm_op() error path
X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~2881
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22Dat/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22Dat?a=commitdiff_plain;h=7581a378b0b8727b6eaaa83da154e40bcfea0f69;p=xen.git

tools/libxc: Fix missing va_end() in do_dm_op() error path

The fail3 error path skips the va_end() call, which typically leaks memory for
64bit x86 code.

Introduced by c/s 524a98c2ac5, spotted by Coverity.

Coverity-ID: 1399608
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---

diff --git a/tools/libxc/xc_private.c b/tools/libxc/xc_private.c
index 809183c0d4..f0e089c704 100644
--- a/tools/libxc/xc_private.c
+++ b/tools/libxc/xc_private.c
@@ -803,7 +803,7 @@ int do_dm_op(xc_interface *xch, domid_t domid, unsigned int nr_bufs, ...)
 
         bounce[idx].h = xencall_alloc_buffer(xch->xcall, size);
         if ( bounce[idx].h == NULL )
-            goto fail3;
+            break; /* Error path handled after va_end(). */
 
         memcpy(bounce[idx].h, u, size);
         bounce[idx].u = u;
@@ -813,6 +813,9 @@ int do_dm_op(xc_interface *xch, domid_t domid, unsigned int nr_bufs, ...)
     }
     va_end(args);
 
+    if ( idx != nr_bufs )
+        goto fail3;
+
     ret = xencall3(xch->xcall, __HYPERVISOR_dm_op,
                    domid, nr_bufs, HYPERCALL_BUFFER_AS_ARG(bufs));
     if ( ret < 0 )