From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38845) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIzuL-0004al-9C for qemu-devel@nongnu.org; Tue, 12 Jan 2016 09:26:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aIzuG-0006Jj-7D for qemu-devel@nongnu.org; Tue, 12 Jan 2016 09:26:49 -0500 Message-ID: <1452608802.29014.27.camel@redhat.com> From: Gerd Hoffmann Date: Tue, 12 Jan 2016 15:26:42 +0100 In-Reply-To: <1452603159-19782-1-git-send-email-w.bumiller@proxmox.com> References: <1452603159-19782-1-git-send-email-w.bumiller@proxmox.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH] vnc: clear vs->tlscreds after unparenting it List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Wolfgang Bumiller Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org On Di, 2016-01-12 at 13:52 +0100, Wolfgang Bumiller wrote: > This pointer should be cleared in vnc_display_close() > otherwise a use-after-free can happen when when using the > old style 'x509' and 'tls' options rather than a persistent > tls-creds -object, by issuing monitor commands to change > the vnc server like so: >=20 > Start with: -vnc unix:test.socket,x509,tls > Then use the following monitor command: > change vnc unix:test.socket >=20 > After this the pointer is still set but invalid and a crash > can be triggered for instance by issuing the same command a > second time which will try to object_unparent() the same > pointer again. Added to patch queue. thanks, Gerd