From 5ec8515508828ecf5055de220cb0cc0f3c997a27 Mon Sep 17 00:00:00 2001 From: Alon Levy Date: Wed, 15 Feb 2012 15:04:04 +0200 Subject: server, separate SpiceChannelEventInfo from RedStream fixes rhbz 790749 use after free of SpiceChannelEventInfo. The lifetime of the SpiceChannelEventInfo was that of RedsStream, but it is used by main_dispatcher_handle_channel_event after the RedsStream is freed for the cursor and display channels. Making SCEI allocation be at RedsStream allocation, and deallocation after the DESTROY event is processed by core->channel_event, fixes use after free. --- server/main_dispatcher.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'server/main_dispatcher.c') diff --git a/server/main_dispatcher.c b/server/main_dispatcher.c index cf44b408..f5b8b4c4 100644 --- a/server/main_dispatcher.c +++ b/server/main_dispatcher.c @@ -52,6 +52,9 @@ static void main_dispatcher_self_handle_channel_event( SpiceChannelEventInfo *info) { main_dispatcher.core->channel_event(event, info); + if (event == SPICE_CHANNEL_EVENT_DISCONNECTED) { + free(info); + } } static void main_dispatcher_handle_channel_event(void *opaque, -- cgit