Tweak the code to clarify that conn->data.buf is set to NULL after the
free() in udscs_read_complete().
Note that this reset is needed to avoid a double-free in
udscs_destroy_connection() if an error occurs while receiving
the next message header.
Signed-off-by: Francois Gouget <fgouget@xxxxxxxxxxxxxxx>
---
On Fri, 25 Nov 2016, Christophe Fergeau wrote:
>
> This memset should 'buf' to NULL. (can't remember if I took that into
> account while writing the patch though :)
Maybe tweaking the code like below could help make this clearer. The
comment may be overkill, or maybe on the contrary it should be made more
explicit.
src/udscs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/udscs.c b/src/udscs.c
index b468e71..414dce5 100644
--- a/src/udscs.c
+++ b/src/udscs.c
@@ -236,10 +236,10 @@ static void udscs_read_complete(struct udscs_connection **connp)
if (!*connp) /* Was the connection disconnected by the callback ? */
return;
}
- free(conn->data.buf);
+ free(conn->data.buf);
+ memset(&conn->data, 0, sizeof(conn->data)); /* data.buf = NULL */
conn->header_read = 0;
- memset(&conn->data, 0, sizeof(conn->data));
}
/* A helper for udscs_client_handle_fds() */
--
2.10.2
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel