[Spice-devel] [PATCH spice-gtk] spice-channel: Do not segfault fault if peer_msg was a NULL pointer

[Dunrong Huang]

$ remote-viewer spice://192.168.0.233:111 # 111 is not a valid spice port
(remote-viewer:29381): GSpice-WARNING **: incomplete link header (-104/16)
Segmentation fault (core dumped)

$ gdb /usr/bin/remote-viewer core
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `remote-viewer spice://192.168.0.233:111'.
Program terminated with signal 11, Segmentation fault.
    switch_tls=0x7f9eb6855b88) at spice-channel.c:1675

warning: Source file is more recent than executable.
1675	    switch (c->peer_msg->error) {
(gdb) bt
    switch_tls=0x7f9eb6855b88) at spice-channel.c:1675
    at spice-channel.c:2299
    at coroutine_ucontext.c:58
    at continuation.c:49

c->peer_msg->error was accessed without checking the validity of pointer in
spice_channel_recv_link_msg(). Actually, c->peer_msg may be a NULL pointer if
we got a error in spice_channel_recv_link_hdr().

This patch fixes this error.

Signed-off-by: Dunrong Huang <riegamaths at gmail.com>
---
 gtk/spice-channel.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index ce19634..7b9807b 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1175,7 +1175,7 @@ static void spice_channel_switch_protocol(SpiceChannel *channel, gint version)
 }
 
 /* coroutine context */
-static void spice_channel_recv_link_hdr(SpiceChannel *channel)
+static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
 {
     SpiceChannelPrivate *c = channel->priv;
     int rc;
@@ -1204,19 +1204,20 @@ static void spice_channel_recv_link_hdr(SpiceChannel *channel)
         goto error;
     }
 
-    return;
+    return TRUE;
 
 error:
     /* Windows socket seems to give early CONNRESET errors. The server
        does not linger when closing the socket if the protocol is
        incompatible. Try with the oldest protocol in this case: */
-    if (c->link_hdr.major_version != 1) {
+    if (c->peer_msg != NULL && c->link_hdr.major_version != 1) {
         SPICE_DEBUG("%s: error, switching to protocol 1 (spice 0.4)", c->name);
         spice_channel_switch_protocol(channel, 1);
-        return;
+        return TRUE;
     }
 
     emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_LINK);
+    return FALSE;
 }
 
 #if HAVE_SASL
@@ -2295,7 +2296,8 @@ connected:
     }
 
     spice_channel_send_link(channel);
-    spice_channel_recv_link_hdr(channel);
+    if (spice_channel_recv_link_hdr(channel) == FALSE)
+        goto cleanup;
     spice_channel_recv_link_msg(channel, &switch_tls);
     if (switch_tls)
         goto cleanup;
-- 
1.8.1.5