Commit 06a27a4f authored by Daniel P. Berrangé's avatar Daniel P. Berrangé

fix crash when connection fails early

When reading the initial greeting a timer is set in the background. If
the connection fails early, we can jump to cleanup code before the timer
is disable. The timer will later fire, read a coroutine context from
freed memory, and likely jump to somewhere awful with predictably crashy
results.

  https://bugzilla.redhat.com/show_bug.cgi?id=1620203Signed-off-by: default avatarDaniel P. Berrangé <berrange@redhat.com>
parent a1080abb
......@@ -319,7 +319,9 @@ static gboolean vnc_connection_timeout(gpointer data)
{
struct wait_queue *wait = data;
VNC_DEBUG("Connection timeout wakeup start %p", data);
g_io_wakeup(wait);
VNC_DEBUG("Connection timeout wakeup done %p", data);
return FALSE;
}
......@@ -5318,6 +5320,7 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
priv->absPointer = TRUE;
VNC_DEBUG("Schedule greeting timeout %p", &priv->wait);
timeout = g_timeout_add_seconds(2, vnc_connection_timeout, &priv->wait);
want = 12;
while (want > 0) {
......@@ -5369,7 +5372,9 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
}
if (timeout != 0) {
VNC_DEBUG("Remove timeout %p", &priv->wait);
g_source_remove(timeout);
timeout = 0;
}
version[12] = 0;
......@@ -5449,6 +5454,11 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
return !vnc_connection_has_error(conn);
fail:
if (timeout != 0) {
VNC_DEBUG("Remove timeout %p", &priv->wait);
g_source_remove(timeout);
timeout = 0;
}
return !vnc_connection_has_error(conn);
}
......@@ -5481,6 +5491,7 @@ static GSocket *vnc_connection_connect_socket(struct wait_queue *wait,
if (!sock)
return NULL;
VNC_DEBUG("Schedule socket timeout %p", wait);
guint timeout = g_timeout_add_seconds(10, vnc_connection_timeout, wait);
g_socket_set_blocking(sock, FALSE);
......@@ -5513,8 +5524,10 @@ timeout:
sock = NULL;
end:
if (timeout != 0)
if (timeout != 0) {
VNC_DEBUG("Remove timeout %p", wait);
g_source_remove(timeout);
}
return sock;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment