Tree - rpms/spice - CentOS Git server

rpms / spice

Files

Commit: 73b8f21da632b9446978ad5b03b169bc90cc8b0c

Blob Blame History Raw

From 14f53eef04c38a3c537a1a1012c2f7101a298194 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 15 Sep 2015 16:38:23 +0100
Subject: [PATCH 55/57] Avoid race condition copying segments in red_get_path

The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/red_parse_qxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 4663bfd..c1df8e8 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
     seg = (SpicePathSeg*)&red->segments[n_segments];
     n_segments = 0;
     mem_size2 = sizeof(*red);
-    while (start+1 < end) {
+    while (start+1 < end && n_segments < red->num_segments) {
         red->segments[n_segments++] = seg;
         count = start->count;
 
-- 
2.4.3

rpms / spice

Source Code

Files