From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NZvRJ-0000bS-EL
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 19:07:21 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NZvRE-0000ZT-T8
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 19:07:20 -0500
Received: from [199.232.76.173] (port=60609 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NZvRE-0000ZO-M6
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 19:07:16 -0500
Received: from mail-iw0-f188.google.com ([209.85.223.188]:39899)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1NZvRE-00063J-BT
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 19:07:16 -0500
Received: by mail-iw0-f188.google.com with SMTP id 26so5513513iwn.14
	for <qemu-devel@nongnu.org>; Tue, 26 Jan 2010 16:07:16 -0800 (PST)
Message-ID: <4B5F83B2.8060003@codemonkey.ws>
Date: Tue, 26 Jan 2010 18:07:14 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] vnc_refresh: calling vnc_update_client might
	free vs
References: <alpine.DEB.2.00.1001251210570.7512@kaball-desktop>
In-Reply-To: <alpine.DEB.2.00.1001251210570.7512@kaball-desktop>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: qemu-devel@nongnu.org

On 01/25/2010 06:54 AM, Stefano Stabellini wrote:
> Hi all,
> this patch fixes another bug in vnc_refresh: calling vnc_update_client
> might cause vs to be free()ed, in this case we cannot access vs->next
> right after to examine the next item on the list.
>
> Signed-off-by: Stefano Stabellini<stefano.stabellini@eu.citrix.com>
>    

Applied.  Thanks.

Regards,

Anthony Liguori
> ---
>
> diff --git a/vnc.c b/vnc.c
> index cc2a26e..92facde 100644
> --- a/vnc.c
> +++ b/vnc.c
> @@ -2345,7 +2345,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
>   static void vnc_refresh(void *opaque)
>   {
>       VncDisplay *vd = opaque;
> -    VncState *vs = NULL;
> +    VncState *vs = NULL, *vn = NULL;
>       int has_dirty = 0, rects = 0;
>
>       vga_hw_update();
> @@ -2354,8 +2354,10 @@ static void vnc_refresh(void *opaque)
>
>       vs = vd->clients;
>       while (vs != NULL) {
> +        vn = vs->next;
>           rects += vnc_update_client(vs, has_dirty);
> -        vs = vs->next;
> +        /* vs might be free()ed here */
> +        vs = vn;
>       }
>       /* vd->timer could be NULL now if the last client disconnected,
>        * in this case don't update the timer */
>
>
>
>