[Spice-devel] [PATCH v2] Handle flow control without crashing for agent

Frediano Ziglio fziglio at redhat.com
Tue May 31 16:03:25 UTC 2016 

> 
> On 05/31/2016 03:06 PM, Frediano Ziglio wrote:
> > RedCharDevice used for the agent has flow control enabled.
> > This make possible for red_char_device_write_buffer_get to return NULL.
> > Handle such situation without crashing avoiding NULL dereference.
> >
> > This fixes https://bugs.freedesktop.org/show_bug.cgi?id=95416.
> 
> Hi Frediano
> 
> Ack.
> 

Thanks.

> I'd like to mention that there may be other cases where
> red_char_device_write_buffer_get returns NULL, and
> that the case you mentioned is the one happens on
> fdo bug 95416 mentioned above.
> 
> Regards,
>      Uri
> 

I just checked, now after all red_char_device_write_buffer_get calls
there is a check for NULL. Note that spice vmc and smartcards do not
use flow control so function should never return NULL.
The other 2 calls are in reds.c for the agent and are both handled.

Frediano

> >
> > Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> > ---
> >  server/reds.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > Changes from v1:
> > - put inline comment to explain the reason of the check.
> >
> > Victor (bug reporter) tested this patch successfully.
> >
> > diff --git a/server/reds.c b/server/reds.c
> > index e4d806c..f8cfdfb 100644
> > --- a/server/reds.c
> > +++ b/server/reds.c
> > @@ -1120,6 +1120,11 @@ uint8_t *reds_get_agent_data_buffer(RedsState *reds,
> > MainChannelClient *mcc, siz
> >      dev->priv->recv_from_client_buf =
> >      red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev),
> >                                                                         client,
> >                                                                         size
> >                                                                         +
> >                                                                         sizeof(VDIChunkHeader));
> 
> 
> 
> > +    /* check if buffer was allocated, as flow control is enabled for
> > +     * this device this is a normal condition */
> > +    if (!dev->priv->recv_from_client_buf) {
> > +        return NULL;
> > +    }
> >      dev->priv->recv_from_client_buf_pushed = FALSE;
> >      return dev->priv->recv_from_client_buf->buf + sizeof(VDIChunkHeader);
> >  }
> >
> 
>

More information about the Spice-devel mailing list