commit 6fd8e79af031d8cfc0eb02d40d03281917fcb27b
author Tim Hardeck <thardeck@suse.de> Mon Jan 21 11:04:45 2013 +0100
committer Anthony Liguori <aliguori@us.ibm.com> Mon Jan 21 13:33:12 2013 -0600
tree 6fc46c4b8eef0ac65e9a9f3ac1f446dacdf83f1d
parent 7536ee4bc3da7e9b7fdadba5ba6ade63eaace430

vnc: fix possible uninitialized removals

Some VncState values are not initialized before the Websocket handshake.
If it fails QEMU segfaults during the cleanup. To prevent this behavior
intialization checks are added.

Signed-off-by: Tim Hardeck <thardeck@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

ui/vnc.c

diff --git a/ui/vnc.c b/ui/vnc.c
index ee08894..ff4e2ae 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1053,20 +1053,24 @@
     audio_del(vs);
     vnc_release_modifiers(vs);
 
-    QTAILQ_REMOVE(&vs->vd->clients, vs, next);
+    if (vs->initialized) {
+        QTAILQ_REMOVE(&vs->vd->clients, vs, next);
+        qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
+    }
 
     if (QTAILQ_EMPTY(&vs->vd->clients)) {
         dcl->idle = 1;
     }
 
-    qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
     vnc_remove_timer(vs->vd);
     if (vs->vd->lock_key_sync)
         qemu_remove_led_event_handler(vs->led);
     vnc_unlock_output(vs);
 
     qemu_mutex_destroy(&vs->output_mutex);
-    qemu_bh_delete(vs->bh);
+    if (vs->bh != NULL) {
+        qemu_bh_delete(vs->bh);
+    }
     buffer_free(&vs->jobs_buffer);
 
     for (i = 0; i < VNC_STAT_ROWS; ++i) {
@@ -2749,6 +2753,7 @@
 
 void vnc_init_state(VncState *vs)
 {
+    vs->initialized = true;
     VncDisplay *vd = vs->vd;
 
     vs->ds = vd->ds;

ui/vnc.h

diff --git a/ui/vnc.h b/ui/vnc.h
index f93c89a..45d7686 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -306,6 +306,7 @@
     QEMUPutLEDEntry *led;
 
     bool abort;
+    bool initialized;
     QemuMutex output_mutex;
     QEMUBH *bh;
     Buffer jobs_buffer;