[Spice-devel] [PATCH spice-server v2 1/3] dcc: Fix NULL pointer dereference attempting to connect duplicate channels

[Jonathon Jongsma]

Acked-by: Jonathon Jongsma <jjongsma at redhat.com>



On Wed, 2017-08-30 at 10:36 +0100, Frediano Ziglio wrote:
> You could easily trigger this issue using multiple monitors and
> a modified spice-gtk client with this patch:
> 
> --- a/src/channel-main.c
> +++ b/src/channel-main.c
> @@ -1699,6 +1699,7 @@ static gboolean _channel_new(channel_new_t *c)
>  {
>      g_return_val_if_fail(c != NULL, FALSE);
> 
> +    if (c->type == SPICE_CHANNEL_DISPLAY) c->id = 0;
>      spice_channel_new(c->session, c->type, c->id);
> 
>      g_object_unref(c->session);
> 
> This as g_initable_new in this case returns NULL (dcc.c).
> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  server/dcc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/server/dcc.c b/server/dcc.c
> index 2778bb88..459a7faf 100644
> --- a/server/dcc.c
> +++ b/server/dcc.c
> @@ -516,7 +516,9 @@ DisplayChannelClient *dcc_new(DisplayChannel
> *display,
>                           NULL);
>      spice_debug("New display (client %p) dcc %p stream %p", client,
> dcc, stream);
>      common_graphics_channel_set_during_target_migrate(COMMON_GRAPHIC
> S_CHANNEL(display), mig_target);
> -    dcc->priv->id =
> common_graphics_channel_get_qxl(COMMON_GRAPHICS_CHANNEL(display))-
> >id;
> +    if (dcc) {
> +        dcc->priv->id =
> common_graphics_channel_get_qxl(COMMON_GRAPHICS_CHANNEL(display))-
> >id;
> +    }
>  
>      return dcc;
>  }