[Spice-devel] [spice-gtk v1 2/2] vmcstream: consider incomplete messages
Marc-André Lureau
marcandre.lureau at redhat.com
Tue Aug 1 13:43:00 UTC 2017
----- Original Message -----
> From: Victor Toso <me at victortoso.com>
>
> spice_vmc_input_stream_co_data() is called with the payload of
> message ($data) and this buffer size ($size).
>
> The client of this demux reads each parameter using
> spice_vmc_input_stream_read_all_async() by passing the size of the
> message that it wants which is stored in self->count.
>
> This patch fixes the demux code as it does not consider that requested
> message from client could be bigger then what was received initially
> on spice_vmc_input_stream_co_data().
>
> This patch fixes together with previous patch, fixes a crash reported
> on rhbz#1474074 with backtrace:
>
> > #0 g_socket_create_source at gsocket.c:3700
> > #1 g_coroutine_socket_wait at gio-coroutine.c:59
> > #2 spice_channel_iterate_read at spice-channel.c:2246
> > #3 spice_channel_iterate at spice-channel.c:2291
> > #4 spice_channel_coroutine at spice-channel.c:2583
> > #5 coroutine_trampoline at coroutine_ucontext.c:63
> > #6 continuation_trampoline at continuation.c:55
>
> Reproducer for this is the same as given in previous patch but using a
> Windows 7 VM with spice-webdavd installed.
>
> Note that the message from spice-webdavd is bogus here but client
> should not crash.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1474074
>
> Signed-off-by: Victor Toso <victortoso at redhat.com>
> ---
> src/vmcstream.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/vmcstream.c b/src/vmcstream.c
> index 0634bce..7ea8c7f 100644
> --- a/src/vmcstream.c
> +++ b/src/vmcstream.c
> @@ -142,7 +142,7 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self,
>
> g_return_if_fail(self->task != NULL);
>
> - gsize min = MIN(self->count, size);
> + gsize min = MIN(self->count - self->pos, size);
Looks right, good one, ACK
> memcpy(self->buffer, data, min);
>
> size -= min;
> --
> 2.13.0
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list