From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:39636)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1TxEG6-0000OY-Cl
	for qemu-devel@nongnu.org; Mon, 21 Jan 2013 05:05:44 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1TxEG4-0000NW-Dy
	for qemu-devel@nongnu.org; Mon, 21 Jan 2013 05:05:42 -0500
Received: from cantor2.suse.de ([195.135.220.15]:59438 helo=mx2.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <thardeck@suse.de>) id 1TxEG4-0008Jv-8S
	for qemu-devel@nongnu.org; Mon, 21 Jan 2013 05:05:40 -0500
From: Tim Hardeck <thardeck@suse.de>
Date: Mon, 21 Jan 2013 11:04:45 +0100
Message-Id: <1358762685-676-4-git-send-email-thardeck@suse.de>
In-Reply-To: <1358762685-676-1-git-send-email-thardeck@suse.de>
References: <1358762685-676-1-git-send-email-thardeck@suse.de>
Subject: [Qemu-devel] [PATCH 3/3] vnc: fix possible uninitialized removals
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: aliguori@us.ibm.com, stefanha@gmail.com, github@martintribe.org, blauwirbel@gmail.com, Tim Hardeck <thardeck@suse.de>, alevy@redhat.com, kraxel@redhat.com, corentin.chary@gmail.com

Some VncState values are not initialized before the Websocket handshake.
If it fails QEMU segfaults during the cleanup. To prevent this behavior
intialization checks are added.

Signed-off-by: Tim Hardeck <thardeck@suse.de>
---
 ui/vnc.c |   11 ++++++++---
 ui/vnc.h |    1 +
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index ee08894..ff4e2ae 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1053,20 +1053,24 @@ void vnc_disconnect_finish(VncState *vs)
     audio_del(vs);
     vnc_release_modifiers(vs);
 
-    QTAILQ_REMOVE(&vs->vd->clients, vs, next);
+    if (vs->initialized) {
+        QTAILQ_REMOVE(&vs->vd->clients, vs, next);
+        qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
+    }
 
     if (QTAILQ_EMPTY(&vs->vd->clients)) {
         dcl->idle = 1;
     }
 
-    qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
     vnc_remove_timer(vs->vd);
     if (vs->vd->lock_key_sync)
         qemu_remove_led_event_handler(vs->led);
     vnc_unlock_output(vs);
 
     qemu_mutex_destroy(&vs->output_mutex);
-    qemu_bh_delete(vs->bh);
+    if (vs->bh != NULL) {
+        qemu_bh_delete(vs->bh);
+    }
     buffer_free(&vs->jobs_buffer);
 
     for (i = 0; i < VNC_STAT_ROWS; ++i) {
@@ -2749,6 +2753,7 @@ static void vnc_connect(VncDisplay *vd, int csock, int skipauth, bool websocket)
 
 void vnc_init_state(VncState *vs)
 {
+    vs->initialized = true;
     VncDisplay *vd = vs->vd;
 
     vs->ds = vd->ds;
diff --git a/ui/vnc.h b/ui/vnc.h
index f93c89a..45d7686 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -306,6 +306,7 @@ struct VncState
     QEMUPutLEDEntry *led;
 
     bool abort;
+    bool initialized;
     QemuMutex output_mutex;
     QEMUBH *bh;
     Buffer jobs_buffer;
-- 
1.7.10.4