[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] Avoid use-after-free on streams, due to message callbacks



From: "Daniel P. Berrange" <berrange redhat com>

When sending outbound stream RPC messages, a callback is
used to re-enable stream data transmission. If the stream
aborts while one of these messages is outstanding, the
stream may have been free'd by the time it is invoked. This
results in a use-after-free error

* daemon/stream.c: Ref-count streams to avoid use-after-free
---
 daemon/stream.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/daemon/stream.c b/daemon/stream.c
index 7d2b367..ba3adc2 100644
--- a/daemon/stream.c
+++ b/daemon/stream.c
@@ -38,6 +38,7 @@
 
 struct daemonClientStream {
     daemonClientPrivatePtr priv;
+    int refs;
 
     virNetServerProgramPtr prog;
 
@@ -102,6 +103,8 @@ daemonStreamMessageFinished(virNetMessagePtr msg,
 
     stream->tx = 1;
     daemonStreamUpdateEvents(stream);
+
+    daemonFreeClientStream(NULL, stream);
 }
 
 
@@ -299,6 +302,7 @@ daemonCreateClientStream(virNetServerClientPtr client,
         return NULL;
     }
 
+    stream->refs = 1;
     stream->priv = priv;
     stream->prog = prog;
     stream->procedure = header->proc;
@@ -326,6 +330,10 @@ int daemonFreeClientStream(virNetServerClientPtr client,
     if (!stream)
         return 0;
 
+    stream->refs--;
+    if (stream->refs)
+        return 0;
+
     VIR_DEBUG("client=%p, proc=%d, serial=%d",
               client, stream->procedure, stream->serial);
 
@@ -727,7 +735,7 @@ daemonStreamHandleRead(virNetServerClientPtr client,
         if (msg) {
             msg->cb = daemonStreamMessageFinished;
             msg->opaque = stream;
-            virNetServerClientRef(client);
+            stream->refs++;
             ret = virNetServerProgramSendStreamData(remoteProgram,
                                                     client,
                                                     msg,
-- 
1.7.6


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]