> > On 05/31/2016 03:06 PM, Frediano Ziglio wrote: > > RedCharDevice used for the agent has flow control enabled. > > This make possible for red_char_device_write_buffer_get to return NULL. > > Handle such situation without crashing avoiding NULL dereference. > > > > This fixes https://bugs.freedesktop.org/show_bug.cgi?id=95416. > > Hi Frediano > > Ack. > Thanks. > I'd like to mention that there may be other cases where > red_char_device_write_buffer_get returns NULL, and > that the case you mentioned is the one happens on > fdo bug 95416 mentioned above. > > Regards, > Uri > I just checked, now after all red_char_device_write_buffer_get calls there is a check for NULL. Note that spice vmc and smartcards do not use flow control so function should never return NULL. The other 2 calls are in reds.c for the agent and are both handled. Frediano > > > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > > --- > > server/reds.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > Changes from v1: > > - put inline comment to explain the reason of the check. > > > > Victor (bug reporter) tested this patch successfully. > > > > diff --git a/server/reds.c b/server/reds.c > > index e4d806c..f8cfdfb 100644 > > --- a/server/reds.c > > +++ b/server/reds.c > > @@ -1120,6 +1120,11 @@ uint8_t *reds_get_agent_data_buffer(RedsState *reds, > > MainChannelClient *mcc, siz > > dev->priv->recv_from_client_buf = > > red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), > > client, > > size > > + > > sizeof(VDIChunkHeader)); > > > > > + /* check if buffer was allocated, as flow control is enabled for > > + * this device this is a normal condition */ > > + if (!dev->priv->recv_from_client_buf) { > > + return NULL; > > + } > > dev->priv->recv_from_client_buf_pushed = FALSE; > > return dev->priv->recv_from_client_buf->buf + sizeof(VDIChunkHeader); > > } > > > > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel