A RedClient can be freed from the main thread following
a main channel disconnection. This can happen while
another thread is allocating a new channel client for
that client.
To prevent the usage of a pointer which can be invalid
take ownership of the pointer.
Note that we don't need this disconnecting as disconnection
is done synchronously (the dispatch messages are registered
with DISPATCH_ACK).
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/red-qxl.c | 6 ++++++
server/red-worker.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/server/red-qxl.c b/server/red-qxl.c
index 53f3338b..168b9f0d 100644
--- a/server/red-qxl.c
+++ b/server/red-qxl.c
@@ -83,6 +83,9 @@ static void red_qxl_set_display_peer(RedChannel *channel, RedClient *client,
spice_debug("%s", "");
dispatcher = (Dispatcher *)g_object_get_data(G_OBJECT(channel), "dispatcher");
+ // get a reference potentially the main channel can be destroyed in
+ // the main thread causing RedClient to be destroyed before using it
+ g_object_ref(client);
payload.client = client;
payload.stream = stream;
payload.migration = migration;
@@ -141,6 +144,9 @@ static void red_qxl_set_cursor_peer(RedChannel *channel, RedClient *client, Reds
RedWorkerMessageCursorConnect payload = {0,};
Dispatcher *dispatcher = (Dispatcher *)g_object_get_data(G_OBJECT(channel), "dispatcher");
spice_printerr("");
+ // get a reference potentially the main channel can be destroyed in
+ // the main thread causing RedClient to be destroyed before using it
+ g_object_ref(client);
payload.client = client;
payload.stream = stream;
payload.migration = migration;
diff --git a/server/red-worker.c b/server/red-worker.c
index 8fd964ea..fa69da2f 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -724,6 +724,7 @@ static void handle_dev_display_connect(void *opaque, void *payload)
dcc = dcc_new(display, msg->client, msg->stream, msg->migration, &msg->caps,
worker->image_compression, worker->jpeg_state, worker->zlib_glz_state);
+ g_object_unref(msg->client);
red_channel_capabilities_reset(&msg->caps);
if (!dcc) {
return;
@@ -816,6 +817,7 @@ static void handle_dev_cursor_connect(void *opaque, void *payload)
cursor_channel_connect(worker->cursor_channel,
msg->client, msg->stream, msg->migration,
&msg->caps);
+ g_object_unref(msg->client);
red_channel_capabilities_reset(&msg->caps);
}
--
2.13.5
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel