aboutsummaryrefslogtreecommitdiff
path: root/hw/usb
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2013-07-31 11:17:58 +0200
committerGerd Hoffmann <kraxel@redhat.com>2013-08-01 13:03:42 +0200
commita14ff8a650b5943ee6221b952494661f7cb3b5e2 (patch)
tree7c675707d4fe4a4a76cc46f4d267910a34e4a9ba /hw/usb
parent75cc1c1fcba1987bdf3979c4289ab756c2b15742 (diff)
downloadqemu-a14ff8a650b5943ee6221b952494661f7cb3b5e2.zip
qemu-a14ff8a650b5943ee6221b952494661f7cb3b5e2.tar.gz
qemu-a14ff8a650b5943ee6221b952494661f7cb3b5e2.tar.bz2
usb-redir: fix use-after-free
Reinitialize dev->cs to NULL after deleting it, to make sure it isn't used afterwards. Reported-by: Martin Cerveny <M.Cerveny@computer.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/usb')
-rw-r--r--hw/usb/redirect.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 8b8c010..e3b9f32 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
qemu_chr_delete(dev->cs);
+ dev->cs = NULL;
/* Note must be done after qemu_chr_close, as that causes a close event */
qemu_bh_delete(dev->chardev_close_bh);