diff options
| author | Yonit Halperin <yhalperi@redhat.com> | 2012-05-31 09:39:14 +0300 |
|---|---|---|
| committer | Yonit Halperin <yhalperi@redhat.com> | 2012-05-31 09:39:14 +0300 |
| commit | 2d2121a17038bc02c83f247a43c16d9580959e04 (patch) | |
| tree | b0c03ccc37ce629e1ffbbaeb037cfcddaba7dca9 /server/red_channel.h | |
| parent | d691602784b3592fdd4e2e54cddc29f53fafdfef (diff) | |
| download | spice-2d2121a17038bc02c83f247a43c16d9580959e04.tar.gz spice-2d2121a17038bc02c83f247a43c16d9580959e04.tar.xz spice-2d2121a17038bc02c83f247a43c16d9580959e04.zip | |
server/red_channel: fix possible access to released channel clients
Added ref count for RedChannel and RedChannelClient.
red_channel.c/red_peer_handle_incoming call to
handler->cb->handle_message might lead to the release of the channel
client, and the following call to handler->cb->release_msg_buf will be
a violation.
This bug can be produced by causing main_channel_handle_parsed
call red_client_destory, e.g., by some violation in
reds_on_main_agent_data that will result in a call to reds_disconnect.
Diffstat (limited to 'server/red_channel.h')
| -rw-r--r-- | server/red_channel.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/server/red_channel.h b/server/red_channel.h index 765b74ed..e77e484a 100644 --- a/server/red_channel.h +++ b/server/red_channel.h @@ -225,6 +225,9 @@ struct RedChannelClient { RedChannel *channel; RedClient *client; RedsStream *stream; + + uint32_t refs; + struct { uint32_t generation; uint32_t client_generation; @@ -268,6 +271,8 @@ struct RedChannel { uint32_t type; uint32_t id; + uint32_t refs; + RingItem link; // channels link for reds SpiceCoreInterface *core; |