Blob Blame Raw
From bba21b64c47889ee3a11b3f011fab73b84697e16 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 11 Jul 2014 14:20:37 +0200
Subject: [PATCH 04/43] usb-redir: fix use-after-free

Message-id: <1405088470-24115-5-git-send-email-kraxel@redhat.com>
Patchwork-id: 59819
O-Subject: [RHEL-7.1 qemu-kvm PATCH 04/37] usb-redir: fix use-after-free
Bugzilla: 1046574 1088116
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Reinitialize dev->cs to NULL after deleting it, to make sure it isn't
used afterwards.

Reported-by: Martin Cerveny <M.Cerveny@computer.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit a14ff8a650b5943ee6221b952494661f7cb3b5e2)
---
 hw/usb/redirect.c | 1 +
 1 file changed, 1 insertion(+)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/usb/redirect.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 8b8c010..e3b9f32 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
 
     qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
     /* Note must be done after qemu_chr_close, as that causes a close event */
     qemu_bh_delete(dev->chardev_close_bh);
 
-- 
1.8.3.1