From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 12 Jan 2016 12:52:39 +0000 (+0100)
Subject: vnc: clear vs->tlscreds after unparenting it
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=67c4c2bd958b0074ffbcde12cb434cd064adab12;p=qemu.git

vnc: clear vs->tlscreds after unparenting it

This pointer should be cleared in vnc_display_close()
otherwise a use-after-free can happen when when using the
old style 'x509' and 'tls' options rather than a persistent
tls-creds -object, by issuing monitor commands to change
the vnc server like so:

Start with: -vnc unix:test.socket,x509,tls
Then use the following monitor command:
  change vnc unix:test.socket

After this the pointer is still set but invalid and a crash
can be triggered for instance by issuing the same command a
second time which will try to object_unparent() the same
pointer again.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

diff --git a/ui/vnc.c b/ui/vnc.c
index 54673eb8c7..c2d3773968 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3134,6 +3134,7 @@ static void vnc_display_close(VncDisplay *vs)
     vs->subauth = VNC_AUTH_INVALID;
     if (vs->tlscreds) {
         object_unparent(OBJECT(vs->tlscreds));
+        vs->tlscreds = NULL;
     }
     g_free(vs->tlsaclname);
     vs->tlsaclname = NULL;