From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v1] ui: avoid crash if vnc client disconnects with writes pending
Date: Mon, 27 Jun 2016 16:48:49 +0100 [thread overview]
Message-ID: <1467042529-3372-1-git-send-email-berrange@redhat.com> (raw)
The vnc_client_read() function is called from the vnc_client_io()
event handler callback when there is incoming data to process.
If it detects that the client has disconnected, then it will
trigger cleanup and free'ing of the VncState client struct at
a safe time.
Unfortunately, the vnc_client_io() event handler will also call
vnc_client_write() to handle any outgoing data writes. So if
vnc_client_io() was invoked with both G_IO_IN and G_IO_OUT
events set, and the client disconnects, we may try to write to
a client which has just been freed.
https://bugs.launchpad.net/qemu/+bug/1594861
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
ui/vnc.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 95e4db7..65ab9b1 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1436,8 +1436,9 @@ static void vnc_jobs_bh(void *opaque)
* First function called whenever there is more data to be read from
* the client socket. Will delegate actual work according to whether
* SASL SSF layers are enabled (thus requiring decryption calls)
+ * Returns 0 on success, -1 if client disconnected
*/
-static void vnc_client_read(VncState *vs)
+static int vnc_client_read(VncState *vs)
{
ssize_t ret;
@@ -1450,8 +1451,9 @@ static void vnc_client_read(VncState *vs)
if (!ret) {
if (vs->disconnecting) {
vnc_disconnect_finish(vs);
+ return -1;
}
- return;
+ return 0;
}
while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
@@ -1461,7 +1463,7 @@ static void vnc_client_read(VncState *vs)
ret = vs->read_handler(vs, vs->input.buffer, len);
if (vs->disconnecting) {
vnc_disconnect_finish(vs);
- return;
+ return -1;
}
if (!ret) {
@@ -1470,6 +1472,7 @@ static void vnc_client_read(VncState *vs)
vs->read_handler_expect = ret;
}
}
+ return 0;
}
gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
@@ -1477,7 +1480,9 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
{
VncState *vs = opaque;
if (condition & G_IO_IN) {
- vnc_client_read(vs);
+ if (vnc_client_read(vs) < 0) {
+ return TRUE;
+ }
}
if (condition & G_IO_OUT) {
vnc_client_write(vs);
--
2.7.4
reply other threads:[~2016-06-27 15:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467042529-3372-1-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).