projects / pve-libspice-server.git / blame
| Commit | Line | Data |
|---|---|---|
| 907c9f0e DM |
1 | From 2b6695f1222f68690ea230e4e37ded7e07188f06 Mon Sep 17 00:00:00 2001 |
| 2 | From: Frediano Ziglio <fziglio@redhat.com> | |
| 3 | Date: Tue, 15 Sep 2015 16:38:23 +0100 | |
| 4 | Subject: [PATCH 17/19] Avoid race condition copying segments in red_get_path | |
| 5 | ||
| 6 | The guest can attempt to increase the number of segments while | |
| 7 | spice-server is reading them. | |
| 8 | Make sure we don't copy more then the allocated segments. | |
| 9 | ||
| 10 | Signed-off-by: Frediano Ziglio <fziglio@redhat.com> | |
| 11 | Acked-by: Christophe Fergeau <cfergeau@redhat.com> | |
| 12 | --- | |
| 13 | server/red_parse_qxl.c | 2 +- | |
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 15 | ||
| 16 | diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c | |
| 17 | index 281faad..c7f8650 100644 | |
| 18 | --- a/server/red_parse_qxl.c | |
| 19 | +++ b/server/red_parse_qxl.c | |
| 20 | @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, | |
| 21 | seg = (SpicePathSeg*)&red->segments[n_segments]; | |
| 22 | n_segments = 0; | |
| 23 | mem_size2 = sizeof(*red); | |
| 24 | - while (start+1 < end) { | |
| 25 | + while (start+1 < end && n_segments < red->num_segments) { | |
| 26 | red->segments[n_segments++] = seg; | |
| 27 | count = start->count; | |
| 28 | ||
| 29 | -- | |
| 30 | 2.6.1 | |
| 31 |