vnc: clear vs->tlscreds after unparenting it

This pointer should be cleared in vnc_display_close() otherwise a use-after-free can happen when when using the old style 'x509' and 'tls' options rather than a persistent tls-creds -object, by issuing monitor commands to change the vnc server like so: Start with: -vnc unix:test.socket,x509,tls Then use the following monitor command: change vnc unix:test.socket After this the pointer is still set but invalid and a crash can be triggered for instance by issuing the same command a second time which will try to object_unparent() the same pointer again. Signed-off-by: N Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: N Daniel P. Berrange <berrange@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

vnc: clear vs->tlscreds after unparenting it
This pointer should be cleared in vnc_display_close() otherwise a use-after-free can happen when when using the old style 'x509' and 'tls' options rather than a persistent tls-creds -object, by issuing monitor commands to change the vnc server like so: Start with: -vnc unix:test.socket,x509,tls Then use the following monitor command: change vnc unix:test.socket After this the pointer is still set but invalid and a crash can be triggered for instance by issuing the same command a second time which will try to object_unparent() the same pointer again. Signed-off-by: N Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: N Daniel P. Berrange <berrange@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
67c4c2bd · Wolfgang Bumiller · Gerd Hoffmann · fba958c6 · 67c4c2bd
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

ui/vnc.c ui/vnc.c +1 -0

未找到文件。
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3134,6 +3134,7 @@ static void vnc_display_close(VncDisplay *vs)
    vs->subauth = VNC_AUTH_INVALID;
    if (vs->tlscreds) {
        object_unparent(OBJECT(vs->tlscreds));
+        vs->tlscreds = NULL;
    }
    g_free(vs->tlsaclname);
    vs->tlsaclname = NULL;