rpms / spice

Clone
Source Code
GIT

Blame SOURCES/0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s
  1.   2be4b2eaa8c994793bc20d1bffc55ce737cdd922
  2.   SOURCES
  3.   0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch
Blob History Raw
2be4b2 
From a2510f4df1c01a48515504c25cd9f0d9d1e839d0 Mon Sep 17 00:00:00 2001
73b8f2 
From: Frediano Ziglio <fziglio@redhat.com>
73b8f2 
Date: Tue, 15 Sep 2015 16:38:23 +0100
2be4b2 
Subject: [PATCH 62/64] Avoid race condition copying segments in red_get_path
73b8f2
73b8f2 
The guest can attempt to increase the number of segments while
73b8f2 
spice-server is reading them.
73b8f2 
Make sure we don't copy more then the allocated segments.
73b8f2
73b8f2 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
73b8f2 
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
73b8f2 
---
73b8f2 
 server/red_parse_qxl.c | 2 +-
73b8f2 
 1 file changed, 1 insertion(+), 1 deletion(-)
73b8f2
73b8f2 
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
73b8f2 
index 4663bfd..c1df8e8 100644
73b8f2 
--- a/server/red_parse_qxl.c
73b8f2 
+++ b/server/red_parse_qxl.c
73b8f2 
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
73b8f2 
     seg = (SpicePathSeg*)&red->segments[n_segments];
73b8f2 
     n_segments = 0;
73b8f2 
     mem_size2 = sizeof(*red);
73b8f2 
-    while (start+1 < end) {
73b8f2 
+    while (start+1 < end && n_segments < red->num_segments) {
73b8f2 
         red->segments[n_segments++] = seg;
73b8f2 
         count = start->count;
73b8f2
73b8f2 
--
73b8f2 
2.4.3
73b8f2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation