[PATCH] usbredirhost: fix null dereference
Dmitry Frolov
frolov at swemel.ru
Tue Apr 8 13:05:08 UTC 2025
In function usbredirhost_open_full(), when host->parser==NULL,
the call sequence:
"usbredirhost_close() --->
usbredirhost_clear_device() --->
usbredirhost_handle_disconnect()"
is called, where host->parser is being derefferenced without a check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov <frolov at swemel.ru>
---
usbredirhost/usbredirhost.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/usbredirhost/usbredirhost.c b/usbredirhost/usbredirhost.c
index 03c56e9..ad4c09b 100644
--- a/usbredirhost/usbredirhost.c
+++ b/usbredirhost/usbredirhost.c
@@ -269,6 +269,7 @@ static int usbredirhost_write(void *priv, uint8_t *data, int count)
packet completion callbacks */
static void usbredirhost_handle_disconnect(struct usbredirhost *host)
{
+ if(!host->parser) return;
/* Disconnect uses its own lock to avoid needing nesting capable locks */
if (host->disconnect_lock) {
host->parser->lock_func(host->disconnect_lock);
--
2.34.1
More information about the Spice-devel
mailing list