[Spice-devel] [vdagent-linux] vdagent: Fix udscs_read_callback memory ownership issue
Victor Toso
victortoso at redhat.com
Wed Nov 23 14:03:48 UTC 2016
Hi,
On Wed, Nov 23, 2016 at 02:48:27PM +0100, Christophe Fergeau wrote:
> Previous commit changed ownership rules for the data passed to the
> udscs_read_callback, but forgot to update one of the user.
> Both spice-vdagent and spice-vdagentd use an udscs_read_callback, either
> from udscs_connect() or udscs_create_server().
>
> The previous commit only updated users of udscs_create_server(). This
> caused memory corruption in spice-vdagent which uses udscs_connect().
>
> This fixes https://bugs.freedesktop.org/show_bug.cgi?id=98830
Looks good to me.
Acked-by: Victor Toso <victortoso at redhat.com>
> ---
> src/vdagent/vdagent.c | 9 ---------
> 1 file changed, 9 deletions(-)
>
> diff --git a/src/vdagent/vdagent.c b/src/vdagent/vdagent.c
> index 333dfd5..085b84a 100644
> --- a/src/vdagent/vdagent.c
> +++ b/src/vdagent/vdagent.c
> @@ -61,16 +61,13 @@ static void daemon_read_complete(struct udscs_connection **connp,
> switch (header->type) {
> case VDAGENTD_MONITORS_CONFIG:
> vdagent_x11_set_monitor_config(x11, (VDAgentMonitorsConfig *)data, 0);
> - free(data);
> break;
> case VDAGENTD_CLIPBOARD_REQUEST:
> vdagent_x11_clipboard_request(x11, header->arg1, header->arg2);
> - free(data);
> break;
> case VDAGENTD_CLIPBOARD_GRAB:
> vdagent_x11_clipboard_grab(x11, header->arg1, (uint32_t *)data,
> header->size / sizeof(uint32_t));
> - free(data);
> break;
> case VDAGENTD_CLIPBOARD_DATA:
> vdagent_x11_clipboard_data(x11, header->arg1, header->arg2,
> @@ -80,7 +77,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> break;
> case VDAGENTD_CLIPBOARD_RELEASE:
> vdagent_x11_clipboard_release(x11, header->arg1);
> - free(data);
> break;
> case VDAGENTD_VERSION:
> if (strcmp((char *)data, VERSION) != 0) {
> @@ -98,7 +94,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> vdagent_file_xfers_error(*connp,
> ((VDAgentFileXferStartMessage *)data)->id);
> }
> - free(data);
> break;
> case VDAGENTD_FILE_XFER_STATUS:
> if (vdagent_file_xfers != NULL) {
> @@ -108,7 +103,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> vdagent_file_xfers_error(*connp,
> ((VDAgentFileXferStatusMessage *)data)->id);
> }
> - free(data);
> break;
> case VDAGENTD_FILE_XFER_DISABLE:
> if (debug)
> @@ -126,7 +120,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> } else {
> vdagent_audio_record_sync(avs->mute, avs->nchannels, avs->volume);
> }
> - free(data);
> break;
> }
> case VDAGENTD_FILE_XFER_DATA:
> @@ -137,7 +130,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> vdagent_file_xfers_error(*connp,
> ((VDAgentFileXferDataMessage *)data)->id);
> }
> - free(data);
> break;
> case VDAGENTD_CLIENT_DISCONNECTED:
> vdagent_x11_client_disconnected(x11);
> @@ -150,7 +142,6 @@ static void daemon_read_complete(struct udscs_connection **connp,
> default:
> syslog(LOG_ERR, "Unknown message from vdagentd type: %d, ignoring",
> header->type);
> - free(data);
> }
> }
>
> --
> 2.9.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20161123/5460fd9c/attachment.sig>
More information about the Spice-devel
mailing list