diff options
| author | Alon Levy <alevy@redhat.com> | 2012-02-15 15:04:04 +0200 |
|---|---|---|
| committer | Alon Levy <alevy@redhat.com> | 2012-02-15 15:04:04 +0200 |
| commit | 5ec8515508828ecf5055de220cb0cc0f3c997a27 (patch) | |
| tree | 465540d21306875d200f91401691676d26987d5c /server/reds.h | |
| parent | bdd3bf8777d09c704ff691827c391feb76b05598 (diff) | |
| download | spice-5ec8515508828ecf5055de220cb0cc0f3c997a27.tar.gz spice-5ec8515508828ecf5055de220cb0cc0f3c997a27.tar.xz spice-5ec8515508828ecf5055de220cb0cc0f3c997a27.zip | |
server, separate SpiceChannelEventInfo from RedStream
fixes rhbz 790749 use after free of SpiceChannelEventInfo.
The lifetime of the SpiceChannelEventInfo was that of RedsStream, but it
is used by main_dispatcher_handle_channel_event after the RedsStream is
freed for the cursor and display channels. Making SCEI allocation be at
RedsStream allocation, and deallocation after the DESTROY event is
processed by core->channel_event, fixes use after free.
Diffstat (limited to 'server/reds.h')
| -rw-r--r-- | server/reds.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/server/reds.h b/server/reds.h index 2a4e3513..1fd18a70 100644 --- a/server/reds.h +++ b/server/reds.h @@ -77,7 +77,11 @@ struct RedsStream { RedsSASL sasl; #endif - SpiceChannelEventInfo info; + /* life time of info: + * allocated when creating RedsStream. + * deallocated when main_dispatcher handles the SPICE_CHANNEL_EVENT_DISCONNECTED + * event, either from same thread or by call back from main thread. */ + SpiceChannelEventInfo* info; /* private */ ssize_t (*read)(RedsStream *s, void *buf, size_t nbyte); |