[Spice-commits] server/reds.c

Frediano Ziglio fziglio at kemper.freedesktop.org
Tue Jan 31 17:30:30 UTC 2017 

 server/reds.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

New commits:
commit 1addd3c5148484bab04092f9086371fe74438dc4
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Tue Jan 31 17:48:38 2017 +0100

    Add some NULL checks to spice_server_remove_interface()
    
    Currently, calling spice_server_remove_interface() twice in a row with
    the same SPICE_INTERFACE_CHAR_DEVICE is going to cause a crash when
    calling red_char_device_get_server(char_device->st); because
    char_device->st will have been set to NULL by the first call.
    
    This commit adds a few sanity checks before trying to use the various
    'st' members of the interfaces.
    
    This should avoid the crash described in
    https://bugzilla.redhat.com/show_bug.cgi?id=1411194 even though it's not
    clear how we got in that situation.
    
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/reds.c b/server/reds.c
index b052464..8ef4efe 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -3317,10 +3317,14 @@ SPICE_GNUC_VISIBLE int spice_server_add_interface(SpiceServer *reds,
 SPICE_GNUC_VISIBLE int spice_server_remove_interface(SpiceBaseInstance *sin)
 {
     RedsState *reds;
-    const SpiceBaseInterface *interface = sin->sif;
+    const SpiceBaseInterface *interface;
+
+    g_return_val_if_fail(sin != NULL, -1);
 
+    interface = sin->sif;
     if (strcmp(interface->type, SPICE_INTERFACE_TABLET) == 0) {
         SpiceTabletInstance *tablet = SPICE_CONTAINEROF(sin, SpiceTabletInstance, base);
+        g_return_val_if_fail(tablet->st != NULL, -1);
         reds = spice_tablet_state_get_server(tablet->st);
         spice_info("remove SPICE_INTERFACE_TABLET");
         inputs_channel_detach_tablet(reds->inputs_channel, tablet);
@@ -3333,12 +3337,14 @@ SPICE_GNUC_VISIBLE int spice_server_remove_interface(SpiceBaseInstance *sin)
         snd_detach_record(SPICE_CONTAINEROF(sin, SpiceRecordInstance, base));
     } else if (strcmp(interface->type, SPICE_INTERFACE_CHAR_DEVICE) == 0) {
         SpiceCharDeviceInstance *char_device = SPICE_CONTAINEROF(sin, SpiceCharDeviceInstance, base);
+        g_return_val_if_fail(char_device->st != NULL, -1);
         reds = red_char_device_get_server(char_device->st);
         spice_server_char_device_remove_interface(reds, sin);
     } else if (strcmp(interface->type, SPICE_INTERFACE_QXL) == 0) {
         QXLInstance *qxl;
 
         qxl = SPICE_CONTAINEROF(sin, QXLInstance, base);
+        g_return_val_if_fail(qxl->st != NULL, -1);
         reds = red_qxl_get_server(qxl->st);
         reds->qxl_instances = g_list_remove(reds->qxl_instances, qxl);
         red_qxl_destroy(qxl);

More information about the Spice-commits mailing list