diff options
| author | Yonit Halperin <yhalperi@redhat.com> | 2012-11-13 11:51:59 -0500 |
|---|---|---|
| committer | Yonit Halperin <yhalperi@redhat.com> | 2012-11-26 11:08:10 -0500 |
| commit | ea97fbb6296ae5f6938f6319c7c07bae5b319739 (patch) | |
| tree | 0e524852d55d734a290ebaf6eed9f6979c8212fc | |
| parent | 0ca75b02350522bedb7b98ab679be9e3851cca76 (diff) | |
| download | spice-ea97fbb6296ae5f6938f6319c7c07bae5b319739.tar.gz spice-ea97fbb6296ae5f6938f6319c7c07bae5b319739.tar.xz spice-ea97fbb6296ae5f6938f6319c7c07bae5b319739.zip | |
reds.c: fix calls to spice_marshaller_add_ref with ptr to memory that might be released before sending
| -rw-r--r-- | server/reds.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/server/reds.c b/server/reds.c index 98c87061..b99d01ff 100644 --- a/server/reds.c +++ b/server/reds.c @@ -1171,16 +1171,20 @@ void reds_marshall_migrate_data(SpiceMarshaller *m) spice_marshaller_add_uint32(m, SPICE_MIGRATE_DATA_MAIN_VERSION); if (!vdagent) { + uint8_t *null_agent_mig_data; + spice_assert(!agent_state->base); /* MSG_AGENT_CONNECTED_TOKENS is supported by the client (see spice_server_migrate_connect), so SpiceCharDeviceState is destroyed when the agent is disconnected and there is no need to track the client tokens (see reds_reset_vdp) */ spice_char_device_state_migrate_data_marshall_empty(m); - spice_marshaller_add_ref(m, - (uint8_t *)&mig_data + sizeof(SpiceMigrateDataCharDevice), - sizeof(SpiceMigrateDataMain) - sizeof(SpiceMigrateDataCharDevice) - ); + null_agent_mig_data = spice_marshaller_reserve_space(m, + sizeof(SpiceMigrateDataMain) - + sizeof(SpiceMigrateDataCharDevice)); + memset(null_agent_mig_data, + 0, + sizeof(SpiceMigrateDataMain) - sizeof(SpiceMigrateDataCharDevice)); return; } @@ -1196,7 +1200,7 @@ void reds_marshall_migrate_data(SpiceMarshaller *m) mig_data.agent2client.msg_header_done = FALSE; mig_data.agent2client.msg_header_partial_len = 0; - spice_assert(!agent_state->read_filter.msg_data_to_read ); + spice_assert(!agent_state->read_filter.msg_data_to_read); } else { mig_data.agent2client.chunk_header_size = sizeof(VDIChunkHeader); mig_data.agent2client.chunk_header.size = agent_state->message_recive_len; @@ -1214,14 +1218,14 @@ void reds_marshall_migrate_data(SpiceMarshaller *m) } } spice_marshaller_add_uint32(m, mig_data.agent2client.chunk_header_size); - spice_marshaller_add_ref(m, - (uint8_t *)&mig_data.agent2client.chunk_header, - sizeof(VDIChunkHeader)); + spice_marshaller_add(m, + (uint8_t *)&mig_data.agent2client.chunk_header, + sizeof(VDIChunkHeader)); spice_marshaller_add_uint8(m, mig_data.agent2client.msg_header_done); spice_marshaller_add_uint32(m, mig_data.agent2client.msg_header_partial_len); m2 = spice_marshaller_get_ptr_submarshaller(m, 0); - spice_marshaller_add_ref(m2, agent_state->current_read_buf->data, - mig_data.agent2client.msg_header_partial_len); + spice_marshaller_add(m2, agent_state->current_read_buf->data, + mig_data.agent2client.msg_header_partial_len); spice_marshaller_add_uint32(m, mig_data.agent2client.msg_remaining); spice_marshaller_add_uint8(m, mig_data.agent2client.msg_filter_result); |