rbd: always set out parameter in qemu_rbd_snap_list

The caller expects psn_tab to be NULL when there are no snapshots or
an error occurs. This results in calling g_free on an invalid address.

Reported-by: Oliver Francke <Oliver@filoo.de>
Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

diff --git a/block/rbd.c b/block/rbd.c
index 312584a1bb05f1111aca367766dda39dcf453437..7a2384c8f9fa0ae0de7a1c63207109ce037c45a4 100644 (file)
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -805,7 +805,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
     } while (snap_count == -ERANGE);
 
     if (snap_count <= 0) {
-        return snap_count;
+        goto done;
     }
 
     sn_tab = g_malloc0(snap_count * sizeof(QEMUSnapshotInfo));
@@ -824,6 +824,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
     }
     rbd_snap_list_end(snaps);
 
+ done:
     *psn_tab = sn_tab;
     return snap_count;
 }