[PATCH] usbredirhost: fix null dereference

Dmitry Frolov frolov at swemel.ru
Tue Apr 8 13:05:08 UTC 2025


In function usbredirhost_open_full(), when host->parser==NULL,
the call sequence:
"usbredirhost_close() --->
    usbredirhost_clear_device() --->
        usbredirhost_handle_disconnect()"
is called, where host->parser is being derefferenced without a check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov at swemel.ru>
---
 usbredirhost/usbredirhost.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/usbredirhost/usbredirhost.c b/usbredirhost/usbredirhost.c
index 03c56e9..ad4c09b 100644
--- a/usbredirhost/usbredirhost.c
+++ b/usbredirhost/usbredirhost.c
@@ -269,6 +269,7 @@ static int usbredirhost_write(void *priv, uint8_t *data, int count)
    packet completion callbacks */
 static void usbredirhost_handle_disconnect(struct usbredirhost *host)
 {
+    if(!host->parser) return;
     /* Disconnect uses its own lock to avoid needing nesting capable locks */
     if (host->disconnect_lock) {
         host->parser->lock_func(host->disconnect_lock);
-- 
2.34.1



More information about the Spice-devel mailing list