|
 |
d53d1b |
From ac1960bcc8e2678c0431d11eb7603ad674937f6d Mon Sep 17 00:00:00 2001
|
|
|
d53d1b |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
d53d1b |
Date: Fri, 24 Aug 2018 17:18:04 +0100
|
|
|
d53d1b |
Subject: [PATCH] fix crash when connection fails early
|
|
|
d53d1b |
MIME-Version: 1.0
|
|
|
d53d1b |
Content-Type: text/plain; charset=UTF-8
|
|
|
d53d1b |
Content-Transfer-Encoding: 8bit
|
|
|
d53d1b |
|
|
|
d53d1b |
When reading the initial greeting a timer is set in the background. If
|
|
|
d53d1b |
the connection fails early, we can jump to cleanup code before the timer
|
|
|
d53d1b |
is disable. The timer will later fire, read a coroutine context from
|
|
|
d53d1b |
freed memory, and likely jump to somewhere awful with predictably crashy
|
|
|
d53d1b |
results.
|
|
|
d53d1b |
|
|
|
d53d1b |
https://bugzilla.redhat.com/show_bug.cgi?id=1620203
|
|
|
d53d1b |
|
|
|
d53d1b |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
d53d1b |
(cherry picked from commit 06a27a4fb52653b4cbf67b75b8116cf6692b435d)
|
|
|
d53d1b |
---
|
|
|
d53d1b |
src/vncconnection.c | 15 ++++++++++++++-
|
|
|
d53d1b |
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
d53d1b |
|
|
|
d53d1b |
diff --git a/src/vncconnection.c b/src/vncconnection.c
|
|
|
d53d1b |
index b6e13d5..afc1418 100644
|
|
|
d53d1b |
--- a/src/vncconnection.c
|
|
|
d53d1b |
+++ b/src/vncconnection.c
|
|
|
d53d1b |
@@ -319,7 +319,9 @@ static gboolean vnc_connection_timeout(gpointer data)
|
|
|
d53d1b |
{
|
|
|
d53d1b |
struct wait_queue *wait = data;
|
|
|
d53d1b |
|
|
|
d53d1b |
+ VNC_DEBUG("Connection timeout wakeup start %p", data);
|
|
|
d53d1b |
g_io_wakeup(wait);
|
|
|
d53d1b |
+ VNC_DEBUG("Connection timeout wakeup done %p", data);
|
|
|
d53d1b |
|
|
|
d53d1b |
return FALSE;
|
|
|
d53d1b |
}
|
|
|
d53d1b |
@@ -5318,6 +5320,7 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
|
|
|
d53d1b |
|
|
|
d53d1b |
priv->absPointer = TRUE;
|
|
|
d53d1b |
|
|
|
d53d1b |
+ VNC_DEBUG("Schedule greeting timeout %p", &priv->wait);
|
|
|
d53d1b |
timeout = g_timeout_add_seconds(2, vnc_connection_timeout, &priv->wait);
|
|
|
d53d1b |
want = 12;
|
|
|
d53d1b |
while (want > 0) {
|
|
|
d53d1b |
@@ -5369,7 +5372,9 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
|
|
|
d53d1b |
}
|
|
|
d53d1b |
|
|
|
d53d1b |
if (timeout != 0) {
|
|
|
d53d1b |
+ VNC_DEBUG("Remove timeout %p", &priv->wait);
|
|
|
d53d1b |
g_source_remove(timeout);
|
|
|
d53d1b |
+ timeout = 0;
|
|
|
d53d1b |
}
|
|
|
d53d1b |
|
|
|
d53d1b |
version[12] = 0;
|
|
|
d53d1b |
@@ -5449,6 +5454,11 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
|
|
|
d53d1b |
return !vnc_connection_has_error(conn);
|
|
|
d53d1b |
|
|
|
d53d1b |
fail:
|
|
|
d53d1b |
+ if (timeout != 0) {
|
|
|
d53d1b |
+ VNC_DEBUG("Remove timeout %p", &priv->wait);
|
|
|
d53d1b |
+ g_source_remove(timeout);
|
|
|
d53d1b |
+ timeout = 0;
|
|
|
d53d1b |
+ }
|
|
|
d53d1b |
return !vnc_connection_has_error(conn);
|
|
|
d53d1b |
}
|
|
|
d53d1b |
|
|
|
d53d1b |
@@ -5481,6 +5491,7 @@ static GSocket *vnc_connection_connect_socket(struct wait_queue *wait,
|
|
|
d53d1b |
if (!sock)
|
|
|
d53d1b |
return NULL;
|
|
|
d53d1b |
|
|
|
d53d1b |
+ VNC_DEBUG("Schedule socket timeout %p", wait);
|
|
|
d53d1b |
guint timeout = g_timeout_add_seconds(10, vnc_connection_timeout, wait);
|
|
|
d53d1b |
|
|
|
d53d1b |
g_socket_set_blocking(sock, FALSE);
|
|
|
d53d1b |
@@ -5513,8 +5524,10 @@ timeout:
|
|
|
d53d1b |
sock = NULL;
|
|
|
d53d1b |
|
|
|
d53d1b |
end:
|
|
|
d53d1b |
- if (timeout != 0)
|
|
|
d53d1b |
+ if (timeout != 0) {
|
|
|
d53d1b |
+ VNC_DEBUG("Remove timeout %p", wait);
|
|
|
d53d1b |
g_source_remove(timeout);
|
|
|
d53d1b |
+ }
|
|
|
d53d1b |
|
|
|
d53d1b |
return sock;
|
|
|
d53d1b |
}
|