[Spice-devel] udscs: The read buffer is always reset to NULL

[Francois Gouget]

Tweak the code to clarify that conn->data.buf is set to NULL after the
free() in udscs_read_complete().
Note that this reset is needed to avoid a double-free in
udscs_destroy_connection() if an error occurs while receiving
the next message header.

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
---

On Fri, 25 Nov 2016, Christophe Fergeau wrote:
>
> This memset should 'buf' to NULL. (can't remember if I took that into
> account while writing the patch though :)

Maybe tweaking the code like below could help make this clearer. The 
comment may be overkill, or maybe on the contrary it should be made more 
explicit.


 src/udscs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/udscs.c b/src/udscs.c
index b468e71..414dce5 100644
--- a/src/udscs.c
+++ b/src/udscs.c
@@ -236,10 +236,10 @@ static void udscs_read_complete(struct udscs_connection **connp)
         if (!*connp) /* Was the connection disconnected by the callback ? */
             return;
     }
-    free(conn->data.buf);
 
+    free(conn->data.buf);
+    memset(&conn->data, 0, sizeof(conn->data)); /* data.buf = NULL */
     conn->header_read = 0;
-    memset(&conn->data, 0, sizeof(conn->data));
 }
 
 /* A helper for udscs_client_handle_fds() */
-- 
2.10.2