summaryrefslogtreecommitdiff
path: root/vnc.c
diff options
context:
space:
mode:
authorStefano Stabellini <stefano.stabellini@eu.citrix.com>2010-01-25 12:54:57 +0000
committerAnthony Liguori <aliguori@us.ibm.com>2010-01-26 18:09:08 -0600
commitc727a054594b1c94177373680408fbf4ee92d3f1 (patch)
tree9b02c9cbb36b61de898130989693b52065802bb6 /vnc.c
parentMusicpal: Fix descriptor walk in eth_send (diff)
downloadqemu-kvm-c727a054594b1c94177373680408fbf4ee92d3f1.tar.gz
qemu-kvm-c727a054594b1c94177373680408fbf4ee92d3f1.tar.bz2
qemu-kvm-c727a054594b1c94177373680408fbf4ee92d3f1.zip
vnc_refresh: calling vnc_update_client might free vs
Hi all, this patch fixes another bug in vnc_refresh: calling vnc_update_client might cause vs to be free()ed, in this case we cannot access vs->next right after to examine the next item on the list. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 6185c5783c50ab5bb4bcdc317772848278cb9bc1)
Diffstat (limited to 'vnc.c')
-rw-r--r--vnc.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/vnc.c b/vnc.c
index 58eac73f9..a1f9c9293 100644
--- a/vnc.c
+++ b/vnc.c
@@ -2293,7 +2293,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
static void vnc_refresh(void *opaque)
{
VncDisplay *vd = opaque;
- VncState *vs = NULL;
+ VncState *vs = NULL, *vn = NULL;
int has_dirty = 0, rects = 0;
vga_hw_update();
@@ -2302,8 +2302,10 @@ static void vnc_refresh(void *opaque)
vs = vd->clients;
while (vs != NULL) {
+ vn = vs->next;
rects += vnc_update_client(vs, has_dirty);
- vs = vs->next;
+ /* vs might be free()ed here */
+ vs = vn;
}
/* vd->timer could be NULL now if the last client disconnected,
* in this case don't update the timer */