mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
Avoid use-after-free on streams, due to message callbacks
When sending outbound stream RPC messages, a callback is used to re-enable stream data transmission. If the stream aborts while one of these messages is outstanding, the stream may have been free'd by the time it is invoked. This results in a use-after-free error * daemon/stream.c: Ref-count streams to avoid use-after-free
This commit is contained in:
parent
b6263c1801
commit
1b72ad2eaa
@ -38,6 +38,7 @@
|
||||
|
||||
struct daemonClientStream {
|
||||
daemonClientPrivatePtr priv;
|
||||
int refs;
|
||||
|
||||
virNetServerProgramPtr prog;
|
||||
|
||||
@ -102,6 +103,8 @@ daemonStreamMessageFinished(virNetMessagePtr msg,
|
||||
|
||||
stream->tx = 1;
|
||||
daemonStreamUpdateEvents(stream);
|
||||
|
||||
daemonFreeClientStream(NULL, stream);
|
||||
}
|
||||
|
||||
|
||||
@ -299,6 +302,7 @@ daemonCreateClientStream(virNetServerClientPtr client,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
stream->refs = 1;
|
||||
stream->priv = priv;
|
||||
stream->prog = prog;
|
||||
stream->procedure = header->proc;
|
||||
@ -326,6 +330,10 @@ int daemonFreeClientStream(virNetServerClientPtr client,
|
||||
if (!stream)
|
||||
return 0;
|
||||
|
||||
stream->refs--;
|
||||
if (stream->refs)
|
||||
return 0;
|
||||
|
||||
VIR_DEBUG("client=%p, proc=%d, serial=%d",
|
||||
client, stream->procedure, stream->serial);
|
||||
|
||||
@ -727,6 +735,7 @@ daemonStreamHandleRead(virNetServerClientPtr client,
|
||||
if (msg) {
|
||||
msg->cb = daemonStreamMessageFinished;
|
||||
msg->opaque = stream;
|
||||
stream->refs++;
|
||||
ret = virNetServerProgramSendStreamData(remoteProgram,
|
||||
client,
|
||||
msg,
|
||||
|
Loading…
Reference in New Issue
Block a user