From: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: Tue, 26 Jul 2016 21:15:08 +0000 (+0400)
Subject: qemu-char: fix qemu_chr_fe_set_msgfds() crash when disconnected
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=5c7eaabf65ba936f718ef4dfcfc551ffc9d4f35c;p=qemu.git

qemu-char: fix qemu_chr_fe_set_msgfds() crash when disconnected

Calling qemu_chr_fe_set_msgfds() on unconnected socket leads to crash
since s->ioc is NULL in this case. Return an error earlier instead.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

diff --git a/qemu-char.c b/qemu-char.c
index e4b8448422..1274f50e00 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2760,14 +2760,16 @@ static int tcp_set_msgfds(CharDriverState *chr, int *fds, int num)
 {
     TCPCharDriver *s = chr->opaque;
 
-    if (!qio_channel_has_feature(s->ioc,
-                                 QIO_CHANNEL_FEATURE_FD_PASS)) {
-        return -1;
-    }
     /* clear old pending fd array */
     g_free(s->write_msgfds);
     s->write_msgfds = NULL;
 
+    if (!s->connected ||
+        !qio_channel_has_feature(s->ioc,
+                                 QIO_CHANNEL_FEATURE_FD_PASS)) {
+        return -1;
+    }
+
     if (num) {
         s->write_msgfds = g_new(int, num);
         memcpy(s->write_msgfds, fds, num * sizeof(int));