usb-redir: fix use-after-free

Reinitialize dev->cs to NULL after deleting it, to make sure it isn't used afterwards. Reported-by: N Martin Cerveny <M.Cerveny@computer.org> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

usb-redir: fix use-after-free
Reinitialize dev->cs to NULL after deleting it, to make sure it isn't used afterwards. Reported-by: N Martin Cerveny <M.Cerveny@computer.org> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
a14ff8a6 · Gerd Hoffmann · 75cc1c1f · a14ff8a6
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

hw/usb/redirect.c hw/usb/redirect.c +1 -0

未找到文件。
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
    USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

    qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
    /* Note must be done after qemu_chr_close, as that causes a close event */
    qemu_bh_delete(dev->chardev_close_bh);