From 1b72ad2eaa0c84b2cd56c9e86e614f79a643a0b3 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 31 Aug 2011 17:01:01 +0100 Subject: [PATCH] Avoid use-after-free on streams, due to message callbacks When sending outbound stream RPC messages, a callback is used to re-enable stream data transmission. If the stream aborts while one of these messages is outstanding, the stream may have been free'd by the time it is invoked. This results in a use-after-free error * daemon/stream.c: Ref-count streams to avoid use-after-free --- daemon/stream.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/daemon/stream.c b/daemon/stream.c index 0333dfd187..ba3adc21c9 100644 --- a/daemon/stream.c +++ b/daemon/stream.c @@ -38,6 +38,7 @@ struct daemonClientStream { daemonClientPrivatePtr priv; + int refs; virNetServerProgramPtr prog; @@ -102,6 +103,8 @@ daemonStreamMessageFinished(virNetMessagePtr msg, stream->tx = 1; daemonStreamUpdateEvents(stream); + + daemonFreeClientStream(NULL, stream); } @@ -299,6 +302,7 @@ daemonCreateClientStream(virNetServerClientPtr client, return NULL; } + stream->refs = 1; stream->priv = priv; stream->prog = prog; stream->procedure = header->proc; @@ -326,6 +330,10 @@ int daemonFreeClientStream(virNetServerClientPtr client, if (!stream) return 0; + stream->refs--; + if (stream->refs) + return 0; + VIR_DEBUG("client=%p, proc=%d, serial=%d", client, stream->procedure, stream->serial); @@ -727,6 +735,7 @@ daemonStreamHandleRead(virNetServerClientPtr client, if (msg) { msg->cb = daemonStreamMessageFinished; msg->opaque = stream; + stream->refs++; ret = virNetServerProgramSendStreamData(remoteProgram, client, msg,