[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 52/99] vnc: fix use-after-free
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 52/99] vnc: fix use-after-free |
Date: |
Mon, 23 Jul 2018 15:17:01 -0500 |
From: Gerd Hoffmann <address@hidden>
When vnc_client_read() return value is -1
vs is not valid any more.
Fixes: d49b87f0d1e0520443a990fc610d0f02bc63c556
Reported-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Reviewed-by: Daniel P. Berrangé <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Tested-by: Marc-André Lureau <address@hidden>
Tested-by: Philippe Mathieu-Daudé <address@hidden>
Message-id: address@hidden
(cherry picked from commit 1bc3117abad28d6465ecdb2c944b22943df0e4f3)
Signed-off-by: Michael Roth <address@hidden>
---
ui/vnc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index e164eb798c..5526e54f48 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1539,13 +1539,14 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
VncState *vs = opaque;
if (condition & G_IO_IN) {
if (vnc_client_read(vs) < 0) {
- goto end;
+ /* vs is free()ed here */
+ return TRUE;
}
}
if (condition & G_IO_OUT) {
vnc_client_write(vs);
}
-end:
+
if (vs->disconnecting) {
if (vs->ioc_tag != 0) {
g_source_remove(vs->ioc_tag);
--
2.17.1
- [Qemu-stable] [PATCH 43/99] i386: Define the Virt SSBD MSR and handling of it (CVE-2018-3639), (continued)
- [Qemu-stable] [PATCH 43/99] i386: Define the Virt SSBD MSR and handling of it (CVE-2018-3639), Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 44/99] i386: define the AMD 'virt-ssbd' CPUID feature bit (CVE-2018-3639), Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 46/99] vhost-user: delete net client if necessary, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 45/99] tap: set vhostfd passed from qemu cli to non-blocking, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 47/99] qemu-img: Fix assert when mapping unaligned raw file, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 49/99] arm_gicv3_kvm: kvm_dist_get/put_priority: skip the registers banked by GICR_IPRIORITYR, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 48/99] iotests: Add test 221 to catch qemu-img map regression, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 50/99] usb: correctly handle Zero Length Packets, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 04/99] nbd/client: Fix error messages during NBD_INFO_BLOCK_SIZE, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 51/99] usb/dev-mtp: Fix use of uninitialized values, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 52/99] vnc: fix use-after-free,
Michael Roth <=
- [Qemu-stable] [PATCH 55/99] nbd/client: fix nbd_negotiate_simple_meta_context, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 54/99] cpus: tcg: fix never exiting loop on unplug, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 53/99] block/mirror: honor ratelimit again, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 56/99] migration/block-dirty-bitmap: fix memory leak in dirty_bitmap_load_bits, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 57/99] qapi: fill in CpuInfoFast.arch in query-cpus-fast, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 58/99] block/mirror: Make cancel always cancel pre-READY, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 60/99] riscv: spike: allow base == 0, Michael Roth, 2018/07/23
- [Qemu-stable] [PATCH 05/99] s390-ccw: force diag 308 subcode to unsigned long, Michael Roth, 2018/07/23