[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 49/67] slirp: Fix access to freed memory
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 49/67] slirp: Fix access to freed memory |
Date: |
Wed, 14 Dec 2016 18:44:43 -0600 |
From: Samuel Thibault <address@hidden>
if_start() goes through the slirp->if_fastq and slirp->if_batchq
list of pending messages, and accesses ifm->ifq_so->so_nqueued of its
elements if ifm->ifq_so != NULL. When freeing a socket, we thus need
to make sure that any pending message for this socket does not refer
to the socket any more.
Signed-off-by: Samuel Thibault <address@hidden>
Tested-by: Brian Candler <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ea64d5f08817b5e79e17135dce516c7583107f91)
Signed-off-by: Michael Roth <address@hidden>
---
slirp/socket.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/slirp/socket.c b/slirp/socket.c
index 280050a..6c18971 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -66,6 +66,23 @@ void
sofree(struct socket *so)
{
Slirp *slirp = so->slirp;
+ struct mbuf *ifm;
+
+ for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
+ (struct quehead *) ifm != &slirp->if_fastq;
+ ifm = ifm->ifq_next) {
+ if (ifm->ifq_so == so) {
+ ifm->ifq_so = NULL;
+ }
+ }
+
+ for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
+ (struct quehead *) ifm != &slirp->if_batchq;
+ ifm = ifm->ifq_next) {
+ if (ifm->ifq_so == so) {
+ ifm->ifq_so = NULL;
+ }
+ }
if (so->so_emu==EMU_RSH && so->extra) {
sofree(so->extra);
--
1.9.1
- [Qemu-devel] [PATCH 42/67] acpi/ipmi: Initialize the fwinfo before fetching it, (continued)
- [Qemu-devel] [PATCH 42/67] acpi/ipmi: Initialize the fwinfo before fetching it, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 45/67] virtio: allow per-device-class legacy features, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 47/67] block: Don't mark node clean after failed flush, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 50/67] qcow2: Inform block layer about discard boundaries, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 51/67] block: Let write zeroes fallback work even with small max_transfer, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 53/67] block: Pass unaligned discard requests to drivers, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 48/67] vhost: adapt vhost_verify_ring_mappings() to virtio 1 ring layout, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 55/67] block/curl: Fix return value from curl_read_cb, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 56/67] block/curl: Remember all sockets, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 58/67] vhost: drop legacy vring layout bits, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 49/67] slirp: Fix access to freed memory,
Michael Roth <=
- [Qemu-devel] [PATCH 04/67] ppc: Check the availability of transactional memory, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 52/67] block: Return -ENOTSUP rather than assert on unaligned discards, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 61/67] rules.mak: Use -r instead of -Wl, -r to fix building when PIE is default, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 54/67] block/curl: Use BDRV_SECTOR_SIZE, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 57/67] block/curl: Do not wait for data beyond EOF, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 05/67] virtio: zero vq->inuse in virtio_reset(), Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 59/67] ivshmem: Fix 64 bit memory bar configuration, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 66/67] msmouse: Fix segfault caused by free the chr before chardev cleanup., Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 60/67] pci-assign: sync MSI/MSI-X cap and table with PCIDevice, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 07/67] vnc: fix qemu crash because of SIGSEGV, Michael Roth, 2016/12/14