xenstat: Fix buffer over-run with new_domains being negative.

Coverity identified this as:
CID 1055740 Out-of-bounds read - "In xenstat_get_node:
Out-of-bounds read from a buffer (CWE-125)"

And sure enough, if xc_domain_getinfolist returns us -1, we will
try to use it later on in the for (i = 0; i < new_domains; ..)
loop.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/tools/xenstat/libxenstat/src/xenstat.c b/tools/xenstat/libxenstat/src/xenstat.c
index 104655d5f13397abdae407165d41d38b75dfe6fe..e5facb84f55ea4f4493e3b1a34586bb74f2d1e96 100644 (file)
--- a/tools/xenstat/libxenstat/src/xenstat.c
+++ b/tools/xenstat/libxenstat/src/xenstat.c
@@ -208,15 +208,15 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, unsigned int flags)
                                                    node->num_domains, 
                                                    DOMAIN_CHUNK_SIZE, 
                                                    domaininfo);
+               if (new_domains < 0)
+                       goto err;
 
                tmp = realloc(node->domains,
                              (node->num_domains + new_domains)
                              * sizeof(xenstat_domain));
-               if (tmp == NULL) {
-                       free(node->domains);
-                       free(node);
-                       return NULL;
-               }
+               if (tmp == NULL)
+                       goto err;
+
                node->domains = tmp;
 
                domain = node->domains + node->num_domains;
@@ -280,6 +280,10 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, unsigned int flags)
        }
 
        return node;
+err:
+       free(node->domains);
+       free(node);
+       return NULL;
 }
 
 void xenstat_free_node(xenstat_node * node)