diff options
author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2016-07-27 01:15:08 +0400 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2016-07-29 00:33:47 +0300 |
commit | 5c7eaabf65ba936f718ef4dfcfc551ffc9d4f35c (patch) | |
tree | d7dfff9fa9ba04abb1e2fce99ee754a3688556c2 | |
parent | 4afba631206d302303499edc22a8f3fc7a1816ee (diff) |
qemu-char: fix qemu_chr_fe_set_msgfds() crash when disconnected
Calling qemu_chr_fe_set_msgfds() on unconnected socket leads to crash
since s->ioc is NULL in this case. Return an error earlier instead.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-rw-r--r-- | qemu-char.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/qemu-char.c b/qemu-char.c index e4b8448422..1274f50e00 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -2760,14 +2760,16 @@ static int tcp_set_msgfds(CharDriverState *chr, int *fds, int num) { TCPCharDriver *s = chr->opaque; - if (!qio_channel_has_feature(s->ioc, - QIO_CHANNEL_FEATURE_FD_PASS)) { - return -1; - } /* clear old pending fd array */ g_free(s->write_msgfds); s->write_msgfds = NULL; + if (!s->connected || + !qio_channel_has_feature(s->ioc, + QIO_CHANNEL_FEATURE_FD_PASS)) { + return -1; + } + if (num) { s->write_msgfds = g_new(int, num); memcpy(s->write_msgfds, fds, num * sizeof(int)); |