[Spice-commits] gtk/spice-channel.c

Marc-André Lureau elmarco at kemper.freedesktop.org
Mon Mar 11 04:46:20 PDT 2013 

 gtk/spice-channel.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

New commits:
commit b19acbca339a3a630f7f19e1fe5b7cc21fccd737
Author: Dunrong Huang <riegamaths at gmail.com>
Date:   Mon Mar 11 16:30:02 2013 +0800

    spice-channel: Do not segfault fault if peer_msg was a NULL pointer
    
    $ remote-viewer spice://192.168.0.233:111 # 111 is not a valid spice port
    (remote-viewer:29381): GSpice-WARNING **: incomplete link header (-104/16)
    Segmentation fault (core dumped)
    
    $ gdb /usr/bin/remote-viewer core
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Core was generated by `remote-viewer spice://192.168.0.233:111'.
    Program terminated with signal 11, Segmentation fault.
        switch_tls=0x7f9eb6855b88) at spice-channel.c:1675
    
    warning: Source file is more recent than executable.
    1675	    switch (c->peer_msg->error) {
    (gdb) bt
        switch_tls=0x7f9eb6855b88) at spice-channel.c:1675
        at spice-channel.c:2299
        at coroutine_ucontext.c:58
        at continuation.c:49
    
    c->peer_msg->error was accessed without checking the validity of pointer in
    spice_channel_recv_link_msg(). Actually, c->peer_msg may be a NULL pointer if
    we got a error in spice_channel_recv_link_hdr().
    
    This patch fixes this error.
    
    Signed-off-by: Dunrong Huang <riegamaths at gmail.com>

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index ce19634..7b9807b 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1175,7 +1175,7 @@ static void spice_channel_switch_protocol(SpiceChannel *channel, gint version)
 }
 
 /* coroutine context */
-static void spice_channel_recv_link_hdr(SpiceChannel *channel)
+static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
 {
     SpiceChannelPrivate *c = channel->priv;
     int rc;
@@ -1204,19 +1204,20 @@ static void spice_channel_recv_link_hdr(SpiceChannel *channel)
         goto error;
     }
 
-    return;
+    return TRUE;
 
 error:
     /* Windows socket seems to give early CONNRESET errors. The server
        does not linger when closing the socket if the protocol is
        incompatible. Try with the oldest protocol in this case: */
-    if (c->link_hdr.major_version != 1) {
+    if (c->peer_msg != NULL && c->link_hdr.major_version != 1) {
         SPICE_DEBUG("%s: error, switching to protocol 1 (spice 0.4)", c->name);
         spice_channel_switch_protocol(channel, 1);
-        return;
+        return TRUE;
     }
 
     emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_LINK);
+    return FALSE;
 }
 
 #if HAVE_SASL
@@ -2295,7 +2296,8 @@ connected:
     }
 
     spice_channel_send_link(channel);
-    spice_channel_recv_link_hdr(channel);
+    if (spice_channel_recv_link_hdr(channel) == FALSE)
+        goto cleanup;
     spice_channel_recv_link_msg(channel, &switch_tls);
     if (switch_tls)
         goto cleanup;

More information about the Spice-commits mailing list