[Spice-commits] gtk/spice-channel.c
Marc-André Lureau
elmarco at kemper.freedesktop.org
Mon Mar 11 04:46:20 PDT 2013
gtk/spice-channel.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
New commits:
commit b19acbca339a3a630f7f19e1fe5b7cc21fccd737
Author: Dunrong Huang <riegamaths at gmail.com>
Date: Mon Mar 11 16:30:02 2013 +0800
spice-channel: Do not segfault fault if peer_msg was a NULL pointer
$ remote-viewer spice://192.168.0.233:111 # 111 is not a valid spice port
(remote-viewer:29381): GSpice-WARNING **: incomplete link header (-104/16)
Segmentation fault (core dumped)
$ gdb /usr/bin/remote-viewer core
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `remote-viewer spice://192.168.0.233:111'.
Program terminated with signal 11, Segmentation fault.
switch_tls=0x7f9eb6855b88) at spice-channel.c:1675
warning: Source file is more recent than executable.
1675 switch (c->peer_msg->error) {
(gdb) bt
switch_tls=0x7f9eb6855b88) at spice-channel.c:1675
at spice-channel.c:2299
at coroutine_ucontext.c:58
at continuation.c:49
c->peer_msg->error was accessed without checking the validity of pointer in
spice_channel_recv_link_msg(). Actually, c->peer_msg may be a NULL pointer if
we got a error in spice_channel_recv_link_hdr().
This patch fixes this error.
Signed-off-by: Dunrong Huang <riegamaths at gmail.com>
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index ce19634..7b9807b 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1175,7 +1175,7 @@ static void spice_channel_switch_protocol(SpiceChannel *channel, gint version)
}
/* coroutine context */
-static void spice_channel_recv_link_hdr(SpiceChannel *channel)
+static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
{
SpiceChannelPrivate *c = channel->priv;
int rc;
@@ -1204,19 +1204,20 @@ static void spice_channel_recv_link_hdr(SpiceChannel *channel)
goto error;
}
- return;
+ return TRUE;
error:
/* Windows socket seems to give early CONNRESET errors. The server
does not linger when closing the socket if the protocol is
incompatible. Try with the oldest protocol in this case: */
- if (c->link_hdr.major_version != 1) {
+ if (c->peer_msg != NULL && c->link_hdr.major_version != 1) {
SPICE_DEBUG("%s: error, switching to protocol 1 (spice 0.4)", c->name);
spice_channel_switch_protocol(channel, 1);
- return;
+ return TRUE;
}
emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_LINK);
+ return FALSE;
}
#if HAVE_SASL
@@ -2295,7 +2296,8 @@ connected:
}
spice_channel_send_link(channel);
- spice_channel_recv_link_hdr(channel);
+ if (spice_channel_recv_link_hdr(channel) == FALSE)
+ goto cleanup;
spice_channel_recv_link_msg(channel, &switch_tls);
if (switch_tls)
goto cleanup;
More information about the Spice-commits
mailing list